Time Optimal Self- Stabilizing Spanning Tree Algorithms 

by 

Sudhanshu Madan Aggarwal 

Submitted to the Department of Electrical Engineering and Computer Science 
in partial fulfillment of the requirements for the degrees of 

Bachelor of Science 

and 

Master of Science in Electrical Engineering and Computer Science 

at the 

MASSACHUSETTS INSTITUTE OF TECHNOLOGY 

May 1994 

© Sudhanshu Madan Aggarwal, MCMXCIV. All rights reserved. 

The author hereby grants to MIT permission to reproduce and distribute publicly 
paper and electronic copies of this thesis document in whole or in part, and to grant 

others the right to do so. 



Author 

Department of Electrical Engineering and Computer Science 

May 20, 1994 

Certified by 

Dr. Shay Kutten 
Manager - Distributed Computing, IBM T. J. Watson Research Center 

Thesis Supervisor 

Certified by 

Nancy A. Lynch 

Professor of Computer Science 

Thesis Supervisor 

Certified by 

Roberto Segala 
Research Associate, MIT Laboratory for Computer Science 

Thesis Supervisor 

Accepted by 

Frederic R. Morgenthaler 
Chairman, Departmental Committee on Graduate Students 



Time Optimal Self-Stabilizing Spanning Tree Algorithms 

by 
Sudhanshu Madan Aggarwal 

Submitted to the Department of Electrical Engineering and Computer Science 

on May 20ri994rin partial fulfillment of the 

requirements for the degrees of 

Bachelor of Science 

and 

Master of Science in Electrical Engineering and Computer Science 



Abstract 

This thesis presents time-optimal self- stabilizing algorithms for distributed spanning tree com- 
putation in asynchronous networks. We present both a randomized algorithm for anonymous 
networks as well as a deterministic version for ID-based networks. Our protocols are the first 
to be time-optimal (i.e. stabilize in time (diameter)) without any prior knowledge of the 
network size or diameter. Both results are achieved through a technique of symmetry breaking 
that may be of independent interest. 

Executions of randomized distributed algorithms contain a combination of nondetermin- 
istic and probabilistic choices; these choices often involve subtle interactions that often make 
such algorithms difficult to verify and analyze. Segala and Lynch have recently developed the 
Probabilistic Automata model to aid in reasoning about randomized distributed algorithms; 
their model is related to the earlier work of Lynch and Vaandrager. We use the Probabilistic 
Automata formalism to analyze the correctness and time complexity of our randomized algo- 
rithm for anonymous networks; in doing soLwe demonstrate the effectiveness of the formalism 
in reasoning about randomized algorithms. 



Thesis Supervisor: Dr. Shay Kutten 

Title: Manager-Distributed ComputingLIBM T.J.Watson Research Center 

Thesis Supervisor: Nancy A. Lynch 
Title: Professor of Computer Science 

Thesis Supervisor: Roberto Segala 

Title: Research AssociateLMIT Laboratory for Computer Science 



Acknowledgments 

I would like to thank my mentors and colleagues who have guided me through the course of 
this long project. 

I would like to thank Shay Kutten for suggesting this research topic in the first place. Shay 
has been instrumental in guiding me through the earlier phases of this work; he has also been 
a most effective mentor and friend. I also thank IBM for going to great lengths to provide me 
with an opportunity to work with Shay. 

I would like to thank Nancy Lynch for her exemplary patience and encouragement through- 
out the course of this work. Through Nancy I have been exposed to the notions of scholarship 
and rigor; I am also grateful for her willingness to read numerous drafts at long intervals. 

This thesis owes much to Roberto Segala. Roberto provided the motivation for formalizing 
the randomized algorithm; he also suggested the state set C 1 which plays a crucial role in the 
proof. Roberto also "showed me the ropes" around LCS. 

I would also like to thank Boaz Patt- Shamir rAmir HerzbergrBaruch Awerbuch and Alain 
Mayer for the helpful discussions I have had with them in connection with this work. It was 
Boaz who first suggested using the Afek-Matias probability distributionl 1 which provided a 
basis for attacking the initial problem. 

FinallyH would like to thank my parent slwithout whose sacrifice and love this thesis would 
not have been possible. 



Contents 



1 Introduction 13 

2 The Model 17 

2.1 Probabilistic Automata 18 

2.1.1 Automata 18 

2.1.2 Executions 19 

2.1.3 Adversaries 20 

2.1.4 Execution Automata 20 

2.1.5 Events 21 

2.1.6 Timing 21 

2.1.7 Adversary Schemas 22 

2.2 Composability 22 

2.3 Networks as Probabilistic Automata 23 

2.3.1 Fairness 24 

3 General Approaches to Spanning Tree Construction 27 

7 



4 A Key Approach to Representing IDs 31 

4.1 The Afek-Matias Probability Distribution 31 

4.2 ID Representation 33 

4.3 Motivation behind our ID Representation 34 

5 Specification of the Randomized Algorithm 37 

5.1 The Tree Detection Algorithm 44 

6 Correctness and Complexity Proof for the Randomized Algorithm: Part 1 49 

6.1 Spanning Trees 49 

6.2 Overview of the Proof 50 

6.3 Stabilization of Forest StructurerCandidate Root Properties 54 

6.3.1 Forest Structure - Establishment and Preservation 54 

6.3.2 ID Overrunning Properties 58 

6.3.3 Candidate Root Properties 60 

6.4 The ID-forcing Proposition 64 

7 Correctness and Complexity Proof: Part 2 — The Coloring Algorithm 73 

7.1 Forest Stability 76 

7.2 Self-Stabilization of the Coloring Algorithm 78 

7.2.1 The "Monocoloring" Result 82 

7.2.2 The "Blocking" Result 93 

7.2.3 Self-stabilization of the Coloring Algorithm: Main Result 100 

7.3 Tree Detection 101 

8 



7.3.1 The "Order" Results 103 

7.3.2 The Tree Detection Proposition 104 

8 The Deterministic Version 107 

9 Conclusions and Discussion 109 
A Properties of the Afek-Matias Probability Distribution 111 



10 



List of Figures 



5-1 Set S[ u ] — State components of node u 38 

5-2 Actions of node u 39 

5-3 Action COPY ut , 41 

5-4 Action MAXIMIZE-PRIORITY„ 42 

5-5 Action DETECT-TREES U 45 

5-6 Action NEXT-COLOR u 45 

5-7 Action EXTEND-ID„ 46 

5-8 Macros 47 

6-1 Proof Phases 52 



11 



12 



Chapter 1 



Introduction 



The task of spanning tree construction is a basic primitive in communication networks. Many 
crucial network tasksFsuch as network reset (and thus any input /output task)rieader electionr 
broadcastrtopology updateFand distributed database maintenanceFcan be efficiently carried 
out in the presence of a tree defined on the network nodes spanning the entire network. Im- 
proving the efficiency of the underlying spanning tree algorithm usually also correspondingly 
improves the efficiency of the particular task at hand. 

In practiceFcomputation in asynchronous distributed networks is made much more difficult 
because of the possibility of numerous kinds of faults. Nodes may crash or get corrupted; 
links may fail or deliver erroneous messages. Furtherr nodes or links may enter or leave the 
network at any time. A very important concept in the context of this problem is that of self- 
stabilizationT first introduced by Dijkstra [Dij74]. Self-stabilization implies the ability of the 
system to recover from any transient fault that changes the state of the system. Dijkstra gave 
the example of a token-ring network which is always supposed to have exactly one token. IfF 
through some errorrthe network were to have zero or two tokensFa self- stabilizing token ring 
protocol would be able to automatically recover or "stabilize" to a state where the network 
has exactly one token. 

More preciselyTa self-stabilizing algorithm on a system S (e.g. the network) reaching a set 

13 



of legal states V is eventually able to bring S to a state in V when started in any arbitrary 
initial state. In Dijkstra's token-ring examprerP is the set of states in which the ring has 
exactly one token. For a self- stabilizing spanning tree algorithmrP would be the set of states 
having a spanning tree defined on the network nodes. As we can consider the state of the 
system after a transient error to be an arbitrary stateFa self- stabilizing system will eventually 
"recover" from any non-repeating error. Thus self-stabilization is a very strong and highly 
desirable fault-tolerance property. 

We would therefore like to have an efficient self-stabilizing algorithm for spanning tree 
construction in asynchronous networks. 

A key measure of efficiency is the stabilization timeT which is the maximum time taken for 
the algorithm to converge to a "spanning tree" stateFstarting from an arbitrary state. Fet S 
be the diameter of the networkrand let n be the network size - the number of nodes in the 
network. Fhen that the optimal stabilization time must necessarily be £l(S). 

Several factors influence the "difficulty" of the protocol. Fhe protocol can be designed for 
networks that are either ID-based (each node has a unique "hard-wired" ID)ror for networks 
that are anonymous (in which nodes lack unique IDsFso there is no a priori way of distinguish- 
ing them). Fhe protocol may either "know" the network size raFor it may "know" some upper 
bound on raFor it may "know" nothing whatsoever. Similarlyrit may or may not "know" in 
advance a bound on the diameter S. Of courserthe more "knowledge" a protocol "is given" 
about the networkrthe easier it becomes to achieve its objectives. 

Previous Work 

Following the pioneering work of [Dij74]rthere has been considerable work in this area. [Ang 
80] showed that no deterministic algorithm can construct a spanning tree in an anonymous 
symmetric network. [AKY90] gave an ID-based self- stabilizing spanning tree protocol with a 
stabilization time of 0(n 2 ) and a randomized protocol for anonymous networks that runs in 
O(ralog n) time. Fhey presented the technique of "local checking" and "local detectionF used in 

14 



many subsequent papers. [AG90] gave an ID-based self- stabilizing spanning tree protocol with 
time complexity 0(iV 2 )Lwhere N is a pre-specified bound on the network size n. [APV91] gave 
an ID-based self- stabilizing spanning tree protocol (based on a reset protocol) that stabilizes 
in 0(n) time. 

[DIM91] gave a self- stabilizing spanning tree algorithm for anonymous networks that runs 
in expected 0(6 log n) time. [AM89] gave a Monte-Carlo spanning tree protocol for anonymous 
networks that works in 0(6) time; howeverrtheir protocol is not self- stabilizing. (A Monte- 
Carlo algorithm terminates in bounded time but succeeds with probability p < 1; a Las- Vegas 
algorithm may not terminate in bounded time but always succeeds.) With the exception of 
[AG90]rall the other works mentioned above do not assume any prior knowledge of the network 
size n or the diameter 6. 

[DIM91] also mentioned a self- stabilizing spanning tree protocol for anonymous networks 
that requires 0(6) time (and is thus time-optimal)rbut requires prior knowledge of a bound 
N on the network size. Recentlyr[AKMPV93] have developed a time-optimal self- stabilizing 
spanning tree protocol for ID-based networks; theyLtooLrequire prior knowledge of a bound 
D on the diameter of the network. 



Our Results 

We present the first time-optimal self- stabilizing spanning tree algorithms that do not need 
any prior knowledge of the network size or diameter. We present both a randomized Las- Vegas 
algorithm for anonymous networks and a deterministic version for ID-based networks. Both 
our protocols stabilize in expected 0(6) time. 

ThusLwith respect to the O(#logn)-time protocol of [DIM91]Lwe decrease the time com- 
plexity to 0(<*))Land compared to their 0(6)-time protocolLwe do not need a bound N on the 
network size. Unlike [AKMPV93]Lwe do not need a bound D on the diameter. 

Note that for random graphsLthe expected diameter 6 is comparable to log n. For real 
networksFsuch as the InternetLthe diameter is usually less than logra. ThusL decreasing the 

15 



time complexity from O(Slogn) (as in [DIM91]) to 0(6) represents an improvement in the 
time required to less than the square root of that required earlier. 

Both of our protocols employ a novel technique in self-stabilization. A major concern 
in self- stabilizing systems has been contending with "wrong information". For exampleFan 
important problem that arises in spanning tree algorithms is the ghost root phenomenon — 
some nodes in the network may "believe" the existence of a root node that doesn't really exist. 
Most previous approaches to the problem have relied on costly non-local operations such as 
root verification! network resetTor tree dismantling to eliminate the ghost root. Our techniquer 
on the other handHs to modify incorrect information instead of perform the expensive process 
of eliminating it. (A similar idea to that of "correcting information" was implicitly used by 
[DIM91].) The modification is done locally but in a careful manner: local modifications of 
wrong information have important desirable global consequences. We do it without incurring 
the large overhead of global operations such as reset etc. Compared to [DIM91]Twe do stronger 
corrections (but still without causing global overhead). The stronger local corrections enable 
us to have a better running time. 



16 



Chapter 2 



The Model 



We assume that the network is represented by an undirected graph G = (V, E); G consists of a 
set of processors denoted by V = {t>i, v 2 , ■ ■ ■ , v n } and a set of links denoted by E = {Ei, E 2 , ■ ■ ■} 
where each Ei £ E = (vj, v k ) for some j, k. In an ID-based networkTeach processor is assigned 
a unique ID that is "hard- wired" in its memory. In an anonymous or uniform networkTall 
processors of the same degree are identical; they do not have unique IDs assigned to them. We 
refer to the number of processors n as the size of the network. The distance between any two 
processors u and v is the lowest number of links on any path connecting u and v in G. (In an 
anonymous networkrthe labels u and v are used for convenience — they are not the IDs of the 
nodes referred to.) The diameter of the network is the maximum distance between any two 
nodes in V; we denote the diameter by 8. The set of neighbors of node ^denoted Nbrs(u)Tis 
the set {v £ V \ (u,v) G E}. 

The degree of a node v is the number of links incident upon node v. We assume that each 
processor maintains a total order on its neighbors. 

The network is asynchronous; processors perform computation steps independently of each 
other and at arbitrary rates. 

We assume that processors communicate by shared memory. In the shared memory modeir 
each processor is associated with a set of registersT possibly partitioned into a set of local 

17 



registers and a set of shared registers. Processors communicate by performing write operations 
on their registers and read operations on the shared registers of their neighbors. All reads and 
writes are atomic — reads/writes behave as though they occur instantaneously. 

A network communicating through shared memoryFas described aboveFcan be modeled as 
a probabilistic automaton ([SF94]r[FSS94]). 

2.1 Probabilistic Automata 

In this section we give only a simplified version of the model of [SF94] which is sufficient for 
our purposes. 

2.1.1 Automata 

Definition 2.1 A probabilistic automaton M consists of four components: 

• a set states(M) of states. 

• a nonempty set start(M) C states(M) of start states. 

• a set acts(M) of actions. 

• a transition relation steps(M) C states(M) X acts(M) X Probs(states(M))Tw}iere the set 
Probs(states(M)) is the set of probability spaces (S7,S,P) such that S7 C states(M) and 

£ = 2°. ■ 

FhusFa probabilistic automaton is a state machine with a labeled transition relation such 
that the state reached during a step is determined by some probability distribution. For 
examplerthe process of choosing a random color from {0nr2} is represented by a step labeled 
with an action NEXF-COFOR where the next state contains the random color choice and 
is determined by a probability distribution over the three possible outcomes. A probabilistic 

18 



automaton also allows nondeterministic choices over steps. A key instance of nondeterminism 
is the choice of which processor in a network takes the next step. 

Given a state si 1 let V(s)Tth.e Dirac distribution on si 1 denote the probability space that 
assigns probability 1 to s. Specificallyr V(s) = ({s}, 2^, P) such that P[{s}] = 1. As a 
notational convention we write (s,a, s') G steps(M) whenever (s,a,V(s')) G steps(M). 

2.1.2 Executions 

An execution fragment a of a probabilistic automaton M is a (finite or infinite) sequence of 
alternating states and actions starting with a state andrif the execution fragment is finiter 
ending in a state; a = s ais 1 a 2 s 2 • • Twhere for each i there exists a probability space (0, X, P) 
such that (sj, a i+ i, (0, X, P)) G steps(M) and s J+1 6 0. Iff i < jTwe say "s, precedes Sj in 
oF or "sj follows s, in a." Denote by fstate(a) the first state of a andrif a is finiter denote 
by Istate(a) the last state of a. Furthermorer denote by frag*(M) and frag(M) the sets of 
finite and all execution fragments of MT respectively. An execution is an execution fragment 
whose first state is a start state. Denote by exec*(M) and exec(M) the sets of finite and all 
executions of MTrespectively. A state s of M is reachable if there exists a finite execution of 
M that ends in s. Denote by rstates(M) the set of reachable states of M . 

A finite execution fragment o^ = So a i s i • • ~ a n s n of M and an execution fragment a 2 = 
s n a n+ is n+ i ■ ■ ■ of M can be concatenated . In this case the concatenation!^ written o^o^ris 
the execution fragment So a i s i • • • a n s n a n+i s n+i • • •• An execution fragment a-y of M is a prefix 
of an execution fragment o 2 of MT written o^ < o 2 rif either a-y = a 2 or a-y is finite and there 
exists an execution fragment a[ of M such that a 2 = ai^a[. If a = o 1 ^Q! 2 rthen we denote 
a 2 with aoai (read a after o^). 

Let P be a subset of states(M). Set Pis closed^ written P — ► PsTif for any s G P and 
any step (s, a, (0, S,P))Ti7 C P. Thus if P — ► PsTonce an execution reaches a state in UT 
it remains in P. We say that an execution fragment a is in Pif every state in a is in P. 

19 



2.1.3 Adversaries 

In order to study the probabilistic behavior of a probabilistic automatonrsome mechanism to 
remove nondeterminism is necessary. The mechanism that removes the nondeterminism can 
be viewed as an adversary. In distributed systems the adversary is often called the schedulerT 
because its main job may be to decide which process should take the next step. 

Definition 2.2 An adversary for a probabilistic automaton Mis a function A taking a finite 
execution fragment of M and giving back either nothing or one of the enabled steps of M if 
there are any. Denote the set of adversaries for M by Advs M . ■ 

2.1.4 Execution Automata 

Once an adversary is chosenFa probabilistic automaton can run under the control of the chosen 
adversary. The result of the interaction is called an execution automaton. Note that there are 
no nondeterministic choices left in an execution automaton. 

Definition 2.3 An execution automaton H of a probabilistic automaton M is a fully proba- 
bilistic automaton such that 

1. states(H) Cfrag*(M). 

2. for each step (a, a, (0, X, P)) of H there is a step (Istate(a), a, (0', £', P')) of MT called 
the corresponding stepFsuch that = {aas|s £ 0'} and P[aas] = P'[s] for each s G 0'. 

3. each state of H is reachableri.e.rfor each a £ states(H) there exists an execution of H 
leading to state a. ■ 

Definition 2.4 Given a probabilistic automaton MTan adversary A G Advs M T&nd an execu- 
tion fragment a £ /rag*(M)rthe execution H(M,A,a) of M under adversary A with starting 
fragment a is the execution automaton of M whose start state is a and such that for each step 
(a',a, (0, S, P)) G steps(H(M ,A,a))Tits corresponding step is the step A(a'). ■ 

20 



To ease the notationFwe define an operator a]' that takes an execution of M and gives 
back the corresponding execution of HT and a{ that takes an execution of H and gives back 
the corresponding execution of M. 

2.1.5 Events 

Given an execution automaton iZTan event is expressed by means of a set of maximal executions 
of iZTwhere a maximal execution of H is either infiniteFor it is finite and its last state does 
not enable any step in H. For examplerthe event "eventually action a occurs" is the set of 
maximal executions of H where action a does occur. A more formal definition follows. The 
sample space £l H is the set of maximal executions of H . The u-algebra T, H is the smallest 
(T-algebra that contains the set of rectangles i?„rconsisting of the executions of £l H having a 
as a prefix. The probability measure P H is the unique extension of the probability measure 
defined on rectangles as follows: Ph[Ro] is the product of the probabilities of each step of H 
generating a. 

Definition 2.5 An event schema e for a probabilistic automaton Mis a function associating 
an event of T, H with each execution automaton H of M. ■ 

2.1.6 Timing 

To mark the passage of timeFwe include in each state s a real component s.nouT and include 
a special time passage action v in ac£s(M)rwhich increments s.now. For all s G start(M)T 
s.now = 0. 

Definition 2.6 (Duration of an execution fragment) The duration of an execution frag- 
ment a is defined as (Istate(a).now — fstate(a).now). 

A statement of the form "within time t in execution aT property P holds" means that 
property P holds for some state sin a such that s.now < fstate(a).now + t. The statement 

21 



"after time ^property P holds" implies that property P holds for all states sin a such that 
s.now > fstate(a).now + t. 

2.1.7 Adversary Schemas 

We close this section with one final definition. The time bound for our randomized protocol 
states that starting from any staterno matter how the steps of the system are scheduledrthe 
network forms a spanning tree within expected (diameter) time. Howeverrthis claim can 
only be valid if the adversary is fair (as defined above). ThusFwe need a way to restrict the 
set of adversaries for a probabilistic automaton. The following definition provides a general 
way of doing this. 

Definition 2.7 An adversary schema for a probabilistic automaton MT denoted by AdvsTis 
a subset of Advs M . ■ 



2.2 Composability 

In this sectionrwe introduce a key theorem of [SL94]Tthe composability theorem. 

The statement U — >Advs U 1 means thatT starting from any state of U and under any 
adversary A of AdvsTthe probability of reaching a state of U' within time t is at least p. The 
suffix Advs is omitted whenever we think it is clear from the context. 

Definition 2.8 Let e V i it be the event schema thatT applied to an execution automaton HT 
returns the set of maximal executions a of H where a state from U' is reached in some 

state of a within time t. Then U — >Advs U 1 iff for each s G U and each A G AdvsT 

p 

P, 



'H(MAA eU '^ H{M ^ A ^ S ^^P- 



Proposition 2.9 Let U, U', U" be sets of states of a probabilistic automaton M . 

IfU-U U', then U U U" -^ U' U U". 

J p ' p 



22 



In order to compose time bound statementsFwe need a restriction for adversary schemas 
stating that the power of the adversary schema is not reduced if a prefix of the past history of 
the execution is not known. Most adversary schemas that appear in the literature satisfy this 
restriction. 

Definition 2.10 An adversary schema Advs for a probabilistic automaton M is execution 
closed ilTfor each A G Advs and each finite execution fragment a £ /rag*(M)rthere exists an 
adversary A' G Advs such that for each execution fragment a' £ frag*(M) with Istate(a) = 
fstate(a')TA'(a') = A(a^a'). ■ 

Theorem 2.11 (Composability theorem) Let Advs be an execution closed adversary schema 

for a probabilistic timed automaton M , and let U, U', U" be sets of states of M . 

If U -^Advs U' and U' —^Advs U" , then U -^ A dvs U" . ■ 

Pl P2 PlP2 

Corollary 2.12 Let Advs be an execution closed adversary schema for a probabilistic timed 
automaton M , and let U, Ui, U 2 , . . ., U n , U* be sets of states of M . 
If U —^Advs PiU U 2 , U . . . U U n , and if Ui —^Advs U* for all i, then 

t+max(ti,t 2 , •••,*<) TT * 

V . , ► , Advs U 

mm(pi,p 2 ,.--iP.) 



2.3 Networks as Probabilistic Automata 

In this section we briefly describe how self- stabilizing protocols running on networks with 
shared-memory links can be modeled using probabilistic automata. 

Self-stabilizing network protocols operate on networks that are dynamic — the set of pro- 
cessors or links may change during the execution. A change in the status of a processor or link 
is communicated to the processors it connects by a low level self- stabilizing protocol. Furtherl 1 

23 



the state of a processor may change arbitrarily (not by an algorithmic steprbut by "memory 
corruption"). We assume that the sequence of topological changes and non- algorithmic state 
changes is finite and that eventually such events cease. This allows us to ignore topological and 
state changes during an execution a of our protocoiras the last such change can be considered 
to change the network state to an arbitrary start state s of a new change-free execution. The 
time complexity measures the time taken for the protocol to succeed after the last such change. 

The network G(V, E) can be represented by a "global" probabilistic automaton M whose 
state contains a vector of states of all its processors. We assume that the state s^j of a processor 
i fully describes its internal state and the values written in all its registers. Thus the global 
state s contains {s^j, S[ 2 ], . . . ,S[„]}; in additionrit also contains timing information (e.g. now). 
The local computation at each processor consists of a sequence of atomic actions; the set 
acts(M) of actions of the global network includes the set of actions of each of its nodesFand 
the time passage action v. 

2.3.1 Fairness 

Let vis(M) denote the non-time-passage actions of acts(M). For the time complexity analysisr 
our protocols require that each action of vis(M) be executed in every unit of time. To this 
endrfor each action a in vis(M)Twe include in state s a (real) "deadline" for that actionr 
s.deadline(a); this deadline represents the latest time by which action a must be performed 
again. For all s G start(M)Ts.deadline(a) = 1. A time passage step (s, //, s') of M must satisfy 
the following condition: s' .now < mm aeviS ( M ^{deadline(a)} . For a non-time-passage action 
(s,a,s')Ts'.now = s.nowT and s' .deadline(a) = s.now + 1. Note that this construction guaran- 
tees that in any execution fragment a = s aiSia 2 ... of M if Istate(a) .now > fstate(a) .now + IT 
then for every action a in vis there exists a step (s, a, s') in a. 

For stating time boundsFwe will need to assume fair adversaries. A is said to be fair iff the 
time advances without bound in every infinite execution fragment generated by A. (Note that 
this rules out "Zeno executions.") Let Fairadvs(M) denote the adversary schema consisting 

24 



of fair adversaries of M. From the definitionsrit can be seen that any infinite execution a = 
s aiSia 2 ... of M generated by a fair adversary A can be partitioned into an infinite number 
of "roundsF such that each processor performs each one of its enabled actions at least once in 
every round. 

Alsornote that the adversary schema Fairadvs(M) is execution-closed (cf. Definition 2.10). 



25 



26 



Chapter 3 

General Approaches to Spanning 
Tree Construction 



Spanning tree algorithms usually utilize variants of a common overall scheme. We first describe 
the basic scheme which assumes the existence of unique node IDs. Each node is associated with 
a "priorityF which could initially be the node's IDTfor instance. At any instant during the 
algorithm's progressrthe network is logically partitioned into a spanning forestTwhich is defined 
by parent pointers maintained by the nodes. Initially (unless initialized by the adversary)Tthis 
forest consists of the single-node trees defined by the network nodes themselves (i.e. parent = 
nil at all nodesrso each node is a root). Starting from this configurationrthe nodes gradually 
coalesce into larger trees. Each node keeps track of the priority of the root of its tree. The 
goal is to produce a spanning tree rooted at the node with the highest priority. Nodes in 
the forest keep on exchanging root priorities with their neighbors. When a node u notices 
a neighbor v with a higher root priorityTit attaches itself to v 's tree by making v its parent 
(parent u <— v). Thusrtrees with higher root priorities overrun trees with lower ones. Since the 
priorities are totally orderedreventually all nodes in the network form a single tree rooted at 
the node with the highest priority. This simple ID-based scheme is not self- stabilizing! 1 since 
if we allow "corrupted" initial statesr nodes may "believe in" a highest priority that is not 

27 



actually possessed by any root. 

To adapt the ID-based scheme to an anonymous network (i.e. with no pre-assigned IDs)T 
we need randomization to break symmetry between the processors. Each node in the network 
flips coins to arrive at a random IDTand participates in the tree construction process described 
above. Since IDs (and hence priorities) are chosen randomlyrit is possible that the node 
with the highest priority in the network is not unique; there could be several such nodes with 
highest priority p. In such a situationrthe above algorithm would halt when the network forms 
a spanning forestTwith each tree rooted at one of the nodes with priority p. In this final stater 
all nodes would have the same ID; thus coalescing would cease at this point. 

To detect such "multiple highest prioritiesF [AKY90] and [DIM 91] proposed the method of 
recoloring trees. In typical recoloring schemesreach tree is associated with a randomly chosen 
color. The root chooses a color at random from a small set of "colors" C of constant size (e.g. 
C ={0, 1, 2, 3}). This color is propagated through the entire tree rooted at that root. When 
the root receives confirmation that the entire tree has been colored with its color (through a 
simple acknowledgement mechanism)rit chooses a new color. The process is repeated forever. 

If there are several neighboring trees with priority prthere must exist nodes that are linked 
to neighbors not in their own tree. Since tree colors are chosen randomlyrneighboring nodes 
that belong to different trees will assume different sequences of colors over time; this fact can 
be exploited to let such neighbors detect their affiliation to different trees. 

In the scheme proposed by [AKY90]Tthe sequence of colors chosen by a root to color its tree 
is "alternating" - of the form (ciTc s Tc 2 Tc s Tc 3 Tc s T. . .)Twhere c s is a special color r "no- color F 
and Ci 7^ no-color for all i. We can represent "no-color" by the color 0; then c, ^ for all i. 
Thus when a root receives acknowledgement about its entire tree being colored with a non-zero 
colorrit colors its tree with color 0. When its tree is entirely colored with color OTit again 
recolors its tree with a non-zero color. In this schemerif the node's own color c, is non-zerol 1 
then if it notices a neighbor with a non-zero color different from its own colorrit can correctly 
conclude that that neighbor belongs to a different tree. Since the scheduler is assumed to be 
adversariair additional constraints are imposed on the acknowledgement mechanism; details 

28 



are presented in Section 5. 

If a node v detects another treeHts root is informed of the condition. When a root learns 
of the existence of another tree rooted at the same IDrin the [AKY90] and [DIM91] schemes 
the root extends its ID by a randomly chosen bit and continues the protocol. Extending IDs 
is a way of breaking symmetry; eventually the roots in the network have appended enough 
random bits to their IDs so that there is a unique root with the highest IDTand subsequently 
a unique tree spanning the entire network. 

Our technical contribution in this paper is twofold. FirstTwe develop a framework for ID 
extension and generalize the concept. Our generalization enables us to reduce the time com- 
plexity of the randomized protocol to O(d)rwithout prior knowledge of the size or diameter of 
the network. Our second main contribution is to use the concept of extension to efficiently con- 
fer the property of self-stabilization upon the basic deterministic scheme for ID-based networksr 
thus enabling us to give the first deterministic spanning tree protocol that is time-optimal (i.e. 
0(d) time) without prior knowledge of bounds on the network size or diameter. 

Intuitivelyrthe log n factor in the previous randomized result came from the need to initiate 
a new competition every time two trees "collided." Every time a tree T noticed another tree 
T with the same root IDTT would randomly extend its ID to try to "win" over T. Our new 
method usually needs just 0(1) ID extensions per node to converge to a spanning treeFas 
opposed to O(logra) extensions in the previous scheme. To achieve this the extension needs to 
be done in a careful way. When several IDs are independently extendedronly one extended ID 
ought to "winF in order to prevent the need for additional competition. Furtherrindependent 
extensions must attempt to preserve existing order: they must not make a previously "beaten" 
tree become the maximumr since this will prevent progress by possibly necessitating new 
competition(s). 

Previous approaches to the deterministic version attempt to form a spanning tree at the 
node vi with the highest (or lowest) "hard- wired" ID. In doing sorthey have to contend with the 
ghost root problem — eliminating all "belief" in the ghost root usually necessitates an "extra" 
0(<i) addition to the time complexity. We exploit our intuitive results about ID extension to 

29 



modify belief in the ghost root. In our schemeFas opposed to previous schemesrthe node with 
the "distinguished" hardwired ID ID\ need not be the root of the spanning tree. The final root 
is determined by the state s set by the adversary at the start of the algorithm — the root is one 
of the nodes that believes in the highest ID. 



30 



Chapter 4 

A Key Approach to Representing 
IDs 



4.1 The Afek-Matias Probability Distribution 

In [AM89]TAfek and Matias proposed a probability distribution which can be used to break 
symmetry in sets of unknown size. Let p be a pair (s,t) of integersFand let pairs be ordered 
lexicographically. [AM89] proposed a probability distribution on s and iFsuch that if several 
(say k) pairs (s,,^) are randomly computedrthere is a unique highest pair with probability at 
least eTwhere I is a constant independent of k. The number s, is randomly selected according 
to the probability distribution 

and the number i, is randomly uniformly selected from the range [ir201n(4r)] where r = 1/e 
(e = 1 - e). e is the probability of error we are prepared to tolerate for a given collection of 
randomly chosen values of i, — with probability < eFsuch a collection will not have a unique 
maximum). The purpose of i, is to break symmetry between pairs that have the same s 8 Tsince 
a small constant number of pairs are expected to have the same highest s,. For our purposesr 
we choose e = e = l/2Fso s, is chosen from the range [ir201n8]. The choice of e affects the 

31 



running time of our randomized algorithm by only a constant factor; we have not attempted to 
compute the optimal value. Our choice of e implies that if k pairs are flippedrthere is exactly 
one highest pair with probability > 1/2. 

Since the protocols and the time complexity analysis do not need to access the individual 
components of a pairrto ease the notationLwe will henceforth assume that a pair (s,t) is 
uniquely represented as a single integer x. The mapping must preserve the order on (s,t); 
since the range of t is finiterit is easy to construct such a mapping. 

We now formally describe the Afek-Matias probability spaces that we will use. Let T AM 
denote the probability space that represents the outcome of k independent pair flips. Let 
Xi,X 2 , ■ ■ ■ ,X k be independent identically distributed random variables on this space repre- 
senting the k flips. The distribution of each X is the AM distribution specified earlier; let 
P(X = x) be denoted by Pr(x) . A sample point p on this space is an outcome of k flipsL 
(pi,p 2 , ■ ■ -,Pk)- The set of events on this space is the set 2°Lwhere O is the set of integer 
A;-tuples. Let P r k(E) be the probability of event E. Let Highest be the random variable that 
returns the highest coin flip: 

Highest(p 1 ,p 2 ,...,p k ) = max(pi,p 2 , . . . ,p k ) 

AlsoLwe define the event UNIQH to be the event that "there exists a unique highest coin flip"; 
thus 

UNIQH = {p | (3i | Pi > Pj Vj ^ i)} 

We now state some properties of T k AM . The first property is the main result of [AM89]: 
Theorem 4.1 For any k, P r * (UNIQH) > 1/2. ■ 

The next two theorems are proved in appendix A: 

Theorem 4.2 For any k,i, P r *(UNIQH | (Highest > i)) > 1/2. ■ 

Theorem 4.3 For any k, i, P r * (Highest ^ i) > (1 - e" 1 / 4 ) > 0.22. ■ 

32 



4.2 ID Representation 

IDs are represented as tuples of entries; each entry is an integer. In the randomized protocoir 
an entry may represent the result of a number randomly chosen according to the AM scheme 
(cf. Section 4.1). 

We impose a lexicographic order -< on IDs; this order is a total order. Thus if X = 
(xi, . . . , Xj) and Y = (y l5 . . ., y k ) are two IDsrthen 

X <Y ^^ j < k and (x u . . ., x/) = (y u ...,yj) 

OR 
3m < mm(j,k) \ (x u . . . , x m _ 1 ) = (y u . . . , y m -i) and x m < y m 



If the first case holdsri.e. if X is a proper prefix of YTwe define the precedence to hold in 

w 

the weak senseTor X -<Y . In the second caserX is not a prefix of Y; we define the precedence 

s w s 

to hold in the strong senseTor X -< Y. We define the relations < and < similarlyr but they 
also include equality (i.e. same IDs). 

The concatenation of two IDs X = (a l5 . . . ,<2j) and Y = (&i, ..., bj)T written X : YTis 
defined as the ID (a l5 . . .,a,j,bi, . . .,bj). 

For an ID XTlet idlength(X) denote the number of entries in XTand let X[i] denote the 
ith entry of X. Let X[l..i] denote the prefix (X[1],X[2], . . .,X[i\). 

We now state some basic properties of our ID representation: 
Proposition 4.4 For any IDs A, B, A' , B' , and C, the following properties hold: 

1. A < A:B. 

2. (A < B) A (B < C) => (A < C). 

3. (A < B) A (B < C) => (A A C). 

33 



4. (A < B) h (A < C) => (C ■< B). 

5. (A<B) =*► (A: A 1 k B:B'). 



4.3 Motivation behind our ID Representation 

As mentioned earlieiT nodes compete with one another for being the root of the eventual 
spanning tree. The competition is on the basis of IDs; a higher ID "beats" a lower one; 
correspondingly! 1 a tree with a high root ID overruns a tree with a lower root ID. If two 
trees with the same root ID detect each other's existencertheir root nodes need to break the 
symmetry so that only one of the two advances in the competition. A highly desirable model 
to impose on this competition is the tournament modeirto pick a unique winner starting with 
n competitors. As the tournament progressesIVe have a shrinking pool of "candidates" for the 
eventual winner; once a player leaves the pooirit is out of the running. 

Our definition of IDs and the ordering defined on them captures the tournament model. 
A root can only change its ID by appending an entry to it. When two roots with equal IDs 
independently extend their IDs in this mannerFone of the new IDs is ordered higher than the 
other (if they are different). FurtherFnote that the first ID is now higher in the strong sense: if 
the roots perform further (possibly none) extensionsrthe first root ID will remain higher even 
after additional extensions (by Proposition 4.4(5)). The second rootTwith the lower IDTcan 
never compete with the first root after this extension. Hence there exists a shrinking pool of 
"candidate" roots. The fact that a root "beaten" in this manner cannot compete further for 
being the eventual root is crucial to the time complexity of our algorithmFsince competitions 
between non-candidate roots do not contribute to the overall time complexity. 

IfTon the other handriD X is higher than ID Y in the weak senserit is still possible for YT 
through some sequence of extensionsrto eventually be higher than X in the strong sense. Thus 
a weak-sense relationship between two IDs implies that the roots possessing those IDs are not 

34 



yet "differentiated" in the competition; either of them might eventually "beat" the other. 



35 



36 



Chapter 5 

Specification of the Randomized 
Algorithm 



Section 3 described the basic approach used by our randomized algorithm. This section states 
the algorithm. The deterministic version is very similar to the randomized one; we briefly 
describe the deterministic version in Section 8. 

The network can be modeled as a probabilistic automaton RSST (for "Randomized Self- 
stabilizing Spanning Tree") whose state s contains a global time component s.nowTa set of 
deadlines {s.deadline(a)} (cf. Section 2.3.1)Tand the states of the network nodes. The state 
S[ u ] of each node u consists of a set of shared variables ID U , distance u , parent u , color u , mode u , 
other-trees u , andrfor each neighbor v of uTnbr-color uv . In additionrthe state of each node u 
contains a set of local variables ID uv , distance uv , parent UV T color uv ,mode uv T other-trees uv and 
self-color uv for each neighbor v of u; these are local copies of the corresponding variables at v 
(with the exception of self-color uv T which is a local copy of color vu ) which node u maintains 
and periodically updates by reading v 's shared variables. These variables can be partitioned 
into two categories: those associated with tree overrunning — ID, distance, parent; and those 
associated with recoloring or the process of detecting "competing" trees — color, mode, other- 
trees, self-colorT&nd nbr-color (cf. Section 3). The state variables and their types are listed in 

37 



Shared variables: 

Variables for tree overrunning: 

ID U £ ID-tuples (cf. Section 4)rcurrent ID 

distance u £ {0nr2...]Testimate of current distance from root 

parent u £ {nil} U M>rs(M)rpointer to parent 

Variables for tree recoloring: 

color u £ {0rir2r3]Tcurrent color 

mode u £ {broadcastrechojTrecoloring phase 

other-trees u £ {truerfalsejTexistence of other trees with same ID 

Vf £ Nbrs(u)Tnbr-color uv £ {ir2r3Fundefined}riast "real" color of nbr v 

Local variables: 

Vf £ Nbrs(u)T 

/* local copy of corresponding shared variables at neighbor v */ 
ID UV T parent uv Tdistance uv T color uv Tmode uv Tother-trees uv Y self -color uv 

(Note that color UV T self-color uv £ {0nr2r3rundefined}) 



Figure 5-1: Set S[ u ] — State components of node u 

Figure 5-1. 

Nodes maintain IDs; these IDs are not "hard-wired" (since we are considering anonymous 
networks here)Tand are susceptible to change. The parent u variable at u points to a neighboring 
node (or "nil"); the set of parent u variables at all nodes u £ V define a subset E parent of the 
set of edges E. We attempt to make the parent subgraph G varent = (V, E parent ) represent a 
forest; thus we attempt to make each node u belong to a tree T u . The distance u variable is an 
estimate of the distance from u to the root of its tree T u (if such a tree exists). 

The priority of a node u is defined to be the tuple (ID u ,distance u ). We define a total order 
>■ on priorities: 



38 



/* copy neighbor variables into local memory */ 
Vv e Nbrs(u)TCOFY uv 

/* become child of neighbor with maximum priorityTor become root */ 
MAXIMIZE-PRIOBITY u 

/* if local neighborhood "looks" stableFparticipate in recoloring etc.*/ 
DETECT-TREES„ 

/* if root's tree has acknowledged colorFchoose new color */ 
NEXF-COFOR u 

/* if root has detected other trees with same IDTextend ID */ 
EXTEND-ID,, 



Figure 5-2: Actions of node u 

Definition 5.1 (Order >> on priorities) (ID U , distance u ) >> (ID V , distance v ) iff either 
ID U > ID v Tor their IDs are equal and distance u < distance v . Fhe analogous relation >> 
includes equality. ■ 

Fhe protocol at each node u is implemented through the atomic actions specified in Figure 
5-2. Note that each action is always enabled; actions need not be performed in any particular 
order. At each state of an execution a = SoaiS 1 a 2 s 2 ...rthe adversary chooses the next processor 
u to perform an actionFas well as the particular action of u that is performed. 

Fhe action COPY ut , (Fig. 5-3) reads the values of neighbor f's shared variables and copies 
it into the corresponding local "opinions" at node u. Besidesrit performs tasks related to the 
coloring algorithm. Fhe action MAXIMIZE-PRIORIFYt, (Fig. 5-4) makes u participate in the 
important task of tree overrunning; it sets the ID, distance and parent variables. (It makes node 
u maximize its priority by attaching to neighboring nodesrif possible.) Fhe action DEFECF- 
FREESt, (Fig. 5-5) makes u participate in recoloring its tree to detect "competing" trees with 



39 



the same ID. If u is a root whose tree has acknowledged being colored with a certain color r 
the action NEXT-COLOR^, (Fig. 5-6) makes u choose the next color to color its tree with. 
Finallyrif u is a root node and the recoloring process has informed it of a "competitor" treeL 
the action EXTEND-ID U (Fig. 5-7) causes u to extend its ID randomly to break symmetry. 

Definition 5.2 (RSST) The probabilistic automaton RSST is defined as follows: 

1. The set states( RSST) consists of all states s such that 

• The values of all variables in S[ u ] belong to their corresponding types (listed in 
Figure 5-l)L 

• s.now > Orand 

• for each a £ acts(RSST)Ts.deadUne(a) > 1. 

2. start(RSST) = {s | s.now = A V a £ acfo(RSST), s.deadline(a) = 1}. 

3. acts(RSSJ) = v (time passage)rand for all u and all v £ Nbrs(u)T{COFY uv , MAXIMIZE- 
PRIORITY u rDETECT-TREES u rNEXT-COLOR„rEXTEND-ID u }. 

4. steps( RSST) is specified by the code for the individual actions in acfo(RSST)riisted in 
Figures 5-3 - 5-7. ■ 

Henceforthrthe code is organizedrfor conveniencerinto statements labeled [A]r[B]r[C]r 
etc. 

Statement [A] in action COPY^ (Figure 5-3) invoked by node u performs the task of 
reading the shared variables of the neighbor v and copying them into local memory. For 
examplerthe value of ID U at node u is the value of m's current IDT and ^D uv is intended to 
hold the latest "opinion" of the ID of neighbor v. Statements [B]T[C] and [D] perform tasks 
required for the tree detection algorithm; they are described in Section 5.1. 

We want trees with high root IDs to "overrun" trees with lower root IDs. To this endr 
each node u tries to "optimize" its ID: if it notices a neighbor with an ID higher than itselfTit 

40 



COPY„„ 




/* make local copies of neighbor variables */ 


[A] 


lUuv * lUv 




distance uv <— distance v 




parent uv <— parent v 




color uv <— color v 




mode uv <— mode v 




other-trees uv <— other-trees v 




self-color uv <— color vu 




/* perform coloring tasks if necessary */ 




if (IZ)„ = IZ) U and |(cfeiajice„ — rfisiance u )| < 1) 


[B] 


then 




/* record color of neighbor if necessary */ 


[C] 


if (color u ^ 0) and (color v ^ 0) 




then 




nbr-color uv <— color v 




if color v ^ color u then other-trees^- true 




/* copy parent's color if necessary */ 


[D] 


if (parent u = i>) and (color u ^ color v ) 




then Reset- Color u (co/or^) 





Figure 5-3: Action COPY ut , 



41 



MAXIMIZE-PRIORITY„ 

/* let / be the "largest" of all neighbors that have max priority */ 

Let / <— max {x \ (ID ux ,distance ux ) = max.' v€Nhrs ^(ID uv ,distance uv ) } [E] 

(where max' is maximum over the relation ^Tcf. Definition 5.1) 

/* force root to extend firstTif about to be overrun by a suffix ID */ 

W 

if (parent u = nil) and ID U < ID u j then [F] 

w 

while ID U < ID ul 
Append- Entry^) 

/* if u can improve its priorityrby becoming child of another */ 
/* neighborrdo soFotherwise become root */ 

if (ID u i, distance u i) >> (ID U , distance u ) /* see def. of >> */ 

then [G] 

ID U ^ ID ul 

distance u <— distance^ + 1 
parent u <— / 

else /* no neighbor has a larger priority; become root */ [H] 

distance u <— 
parent u <— nil 



Figure 5-4: Action MAXIMIZE-PRIOBITY u 



42 



attaches to the neighbor with the highest IDTand changes its ID to the observed ID. Further r 
once it has optimized its IDTit also tries to optimize its distance: it prefers to attach to the 
node with the smallest distance. The purpose of the distance counters is to "shrink" long 
branches in trees so that no branch can exceed diameter length. Hence in [E] of MAXIMIZE- 
PRIORITYrwe make u determine the neighbor / with the highest priority. Many neighbors 
may all have the same highest priority; we break ties by choosing the highest-ordered neighbor 
(each processor is assumed to maintain a total order on its neighborsFso that such ties can be 
resolved in a consistent manner). 



The purpose of statement [F] is rather technical; it is not required for correctness but plays 
an important role in maintaining an overall 0(6) time complexity for our algorithm. (Note that 
6 is the network diameter.) As will be explained in the time complexity analysis of Section 6r 
statement [F] limits the power of an adversary to alter the probability distribution of existing 
root IDs. 



Statement [G] determines whether node u can increase its priority by attaching to the 
"highest" neighbor / determined by [E]. If the priority cannot decreaserit then makes the 
neighbor / its parentT assumes its IDTand assumes its distance incremented by one. 

Howeverrif node u can only decrease its priority by attaching to the neighbor /r[H] makes 
it become a rootT keeping its ID unchanged and resetting its distance to zero. This is the 
mechanism of handling the ghost root problem described earlier — if node u notices that it was 
a nonroot node with a ID I g that is not possessed by any of its neighbors and is higher than 
all its neighbors IDsrit was erroneously "believing" in the existence of a root node with ID I g . 
In this situationFnode u simply becomes a root with ID I g by setting its distance to zerorthus 
obviating the need to "correct" erroneous belief in that root elsewhere in the network. Hence 
statement [H] plays an important role in self-stabilization. 

43 



5.1 The Tree Detection Algorithm 

The Tree Detection Algorithm has the following purpose: if two or more neighboring trees 
have the same root IDT we want their roots to detect this conditionr so that they can then 
extend their IDs to break symmetry and advance in the competition. The complexity in the 
code arises from having to contend with faultsLasynchronyLand the fact that we regard the 
scheduler as an adversary capable of altering the schedule to thwart our intentions. The Tree 
Detection Algorithm is implemented through statements [B]L[C] and [D] in action COPYr 
and through actions DETECT-TREESrNEXT-COLOR and EXTEND-ID. 

Statements [B] and [I] test for a "stability condition"; the rest of the tree detection code in 
actions COPY and DETECT-TREES is only executed if the neighborhood of node u appears 
to "believe in" only one ID. If this is not the casertree overrunning is still in progress in the 
neighborhood of MLand so tree detection can not be performed. 

Let node u belong to a tree T defined on the parent subgraph. (As will be shown in the 
proofTthe action MAXIMIZE-PRIORITY guarantees that u eventually belongs to some tree.) 
Let the root of T be node r u . The tree detection algorithm colors the tree T with an alternating 
sequence of colors { c l7 0, c 2 , 0, c 3 , 0, ... }Lwhere c, ^ for all i. The color variable of a node 
represents its current color. 

Let the color of the root r u at some instant be c. Nodes in the tree propagate color c 
to their childrenLso that eventually all nodes in tree T will set their color to c. When the 
entire tree is colored with cL nodes acknowledge this fact to the root. This propagation and 
acknowledgement is done through a standard "broadcast-echo" mechanism: the mode field of 
a node is set to either broadcast or echoT depending on which phase of the recoloring is in 
progress at that node. 

When a node notices that its own color is different from that of its parent (in statement 
[D])Lit calls the subroutine Reset- Color u (Fig. 5-8)L which "resets" its coloring variablesL 
and causes it to broadcast its parent's color (by setting its mode to broadcast and copying its 
parent's color). In this manner Lwhen a root r chooses a new color Fits descendants successively 

44 



DETECT-TREES„ 




if Vf G Nbrs(u) T (ID UV = ID U and \(distance uv — distance u )\ < 1) 


[I] 


then 






/* check for echo */ 
if 

{ (mode u = broadcast) 


[J] 




/* and if all children echo v 's color */ 

and (Vf G Cb\\dren u T mode uv = echo and color uv = color u ) 




} 
then 

m 

if 


/* and if "mirror technique" is applicable : see text. If node u has */ 
/* some color (7^ 0)Tit should have observed neighbors' colorsFand */ 
/* neighbors should have observed m's colorrdetected by self-color uv */ 
and (color u ^ =/- Vt> G Nbrs(u) T 

nbr-color uv ^ undefined and self-color uv = color u ) 




ode u <— echo 
3v G Children^ other-trees uv = true) then other-trees u <— true 


[K] 



Figure 5-5: Action DETECT-TREES„ 



NEXT-COLOR u 




/* If rootTchoose new color if necessary */ 




if (parent u = nil and mode u = echo and other-trees u 


= false) 


then 




Reset-Color u ( New-Color^)) 





Figure 5-6: Action NEXF-COFOR u 



45 



EXTEND-ID„ 




if (parent u = nil and mode u = echo and other-trees u 


= true) 


then 




Append- EntryuQ 




Reset-Color u ( New-Color^)) 





Figure 5-7: Action EXTEND-ID„ 



copy that colorFand a "broadcast wave" propagates throughout T. 

In a simple echoing scheme that does not need to take into account an adversarial scheduled 
each node u sets its direction to "echo" when all its children are echoing the same color (i.e. 
all children have the same color c as node u and have their mode set to echo). This is also 
part of our condition for echoingFwhich is tested in [J] . In this manner ran "echo wave" travels 
upwards from the leaves to the root. 

When the root r u notices that all its children are echoing its color crit concludes that its 
entire tree is colored with cFand then changes its color (through action NEXF-COFORrin 
Fig. 5-6). Its new color is a function of the previous color c: it alternates between and a 
color randomly chosen from {1F2F3}. Fhe rationale for the coloring sequence was described 
in Section 3. 

When a node is broadcasting some color (i.e.T mode u = broadcast)rit checks for the ex- 
istence of competing trees with the same ID. Fhis check is performed in [C]. In the scheme 
for a non-adversarial schedulerrif a node observes that some neighbor is colored with a color 
different from its own (provided neither color is 0)Tit can correctly conclude that that neigh- 
bor belongs to a tree different from itself. If node u detects such a competing treerit sets its 
other-trees to true] the echoing mechanism conveys this information to the root of the tree 
(through statement [K]). If a root is thus informed of the existence of a competing tree (i.e. 
another tree with the same root ID) lit attempts to break symmetry by extending its ID (action 

46 



Append- EntryuQ 

ID U <- ID u :x 

where x is an entry chosen by the Afek-Matias [AM89] scheme 



New-Color^) 

if color u = 

then return color randomly chosen from {lT2r3} 

else return 



Reset- Co\or u (color) /* reset local recoloring-related variables */ 

color u <— color 

mode u <— broadcast 

other-trees u <— false 
Vf G Nbrs(u) r 

nbr-color uv <— undefined 

self-color uv <— undefined 
Vf G Children^ Tcolor uv <— undefined 



Children^ : { v \ parent uv = u } 



Figure 5-8: Macros 



47 



EXTEND-IDTFig. 5-7). After extending its ID the root participates in the overrunning and 
recoloring processes all over again. 

Howeverrthis scheme of detecting duplicate IDs (i.e. u is colored with a non-zero color 
different from that of some neighbor v implies that v is in a different tree) is not sufficient if the 
scheduler is adversarial. Consider the recoloring process operating on two neighboring trees T 
and T having the same root IDTcontaining two neighboring nodes u and v respectively. We 
want our tree detection process to eventually let at least one of the trees detect this situation. 
Howeverrthe schedule could be manipulated by the adversary such that the two trees are never 
both colored with a non-zero color; the adversary could schedule steps such that always exactly 
one of the trees is colored and the other is colored with a non-zero color. In such a scheduler 
the trees can continue the recoloring process indefinitely without ever detecting each other. 

An idea proposed in [AKY90] modifies the scheme so that it can accomodate an adversarial 
scheduler. The idea is that when a node u is colored with a non-zero colorrit waits for each 
neighboring node to be colored with a non-zero colorT and records this color individually for 
each neighbor v as soon as availablerin the variable nbr-color uv (in [C]). Correspondingly! 1 it 
waits till it observes that each neighbor v has observed its own colorrby examining the variable 
self-color uv T which, it copied from its neighbor. The test for this mirror-like scheme is part of 
the condition [J] for echoing. Section 7 shows that this scheme succeeds for the adversarial 
scenario described earlier. 



48 



Chapter 6 

Correctness and Complexity Proof 
for the Randomized Algorithm: 
Part 1 



The probabilistic automaton RSST implementing our randomized protocol was denned in Def- 
inition 5.2. We prove that RSST constructs a spanning tree within expected 0(8) timeFwhere 
8 is the network diameter. In this section we give some basic definitions and an overview of 
the proof. 

6.1 Spanning Trees 

We first define the states of RSST that define a spanning tree. 
Definition 6.1 For any s G states(RSST)r 

• £(s) is the multiset of the node ids in sri.e. 

^3) = s.{ID Vl ,ID V2 ,ID V3 ,...,ID v J 
49 



• Node u is a root in state s if s.parent u = nil. 

• The set p(s) is the set of root nodes in sITe. 

p(s) = {m£F s.parent u = nil} 

• Node u is an ancestor of node f (u ^ v ) in s if there exists a sequence of nodes 
{u,Ui, u 2 , ..., Uj, v} such that parent u = u, parent u = Ui, . . . , parent u . = Uj_i,parent v = 

Uj. 

• State s contains a cycle if there exists a node that is an ancestor of itself. 

• State s defines a forest if it does not contain a cycle. 

• State s defines a spanning tree if it defines a forest and \p(s)\ = 1. ■ 

Let the set 

S = start(RSSJ) 

denote the set of start states of RSST. The set ST is defined as the set of states defining a 
spanning tree. Thusr 

ST = {s G states( RSST) | s defines a spanning tree} 

6.2 Overview of the Proof 

In this section we give an outline of the proof. We need to prove that departing from a state 
of <Srthe expected time to reach a state of ST is 0(6). 

Our proof is divided into several phasesFeach one of which proves a property of making 
a partial time bounded progress toward a "success state'Ti.eTa state of ST. The state sets 

50 



associated with the different phases are STJ r 'TJ-'TC = TC 1 TQTand ST. Herer 

T' = {s | s defines a forest} 
is the set of forest-defining statesfand 



T 



Vm, v, 



1. v = s. parent u =>■ s.(ID u , distance u ) <C s.(ID uv , distance uv ) 

2. v £ Nbrs(u) =>■ s.(ID uv , distance uv ) <Cs.(ID v , distance^) 



is a subset of the set of closed forest-defining states (this property will be shown in Section 
6.3). Thusronce a state of T is reachedrthe global state always defines a forest. 



To motivate the definitions of C~rC 1 rand gTwe introduce the set 

$(s) = {ue p(s) | ^(3v e p(s) | ID U A ID V )} 

of "candidate" roots in state s. This set plays a crucial role in maintaining progress of our 
algorithm. As mentioned in the description of the algorithmrroot nodes compete for being the 
root of the eventual spanning tree. We show that the root of the eventual spanning tree must 
always be present in $ after time 2rand moreoverrthat $ can only shrink with time (and thus 
|$| can never increase). These properties imply that if a state is in the set of "good" states 

g ± {s e T | ( |$( S )| =i)} 

then the root of the final spanning tree is uniquely determined. Let s be a state in T such that 
s (j£ g. Since |3>(s)| > lTfor achieving progress we need to show that starting from a state in 
TV |$| is reduced to 1 (i.e.Ta state in Q is reached) in expected 0(6) time. We do so using 
the intermediate state sets C = and C 1 . C = is defined as the set of states 

C= = {seF\Vu,ve$(s),ID u = ID v } 
51 



S -^ T 


(Proposition 6.11) 


T — > T® 


(Proposition 6.12) 


T -^ C= U C 1 


(Proposition 6.24) 


„- 77(5 +36 „! 
2/9 


(Proposition 7.80) 


c 1 -^ g 

0.11 


(Proposition 6.49) 


g ^st 


(Proposition 6.23) 



Figure 6-1: Proof Phases 

in which the IDs of all candidate roots are equal. To define C 1 Twe first define subsets 3>i(s) of 
$ as follows: 

<J>,(s) = {tie <J>(s) | idlength(/D u ) = i} 

$i(s) is defined as that subset of 3>(s) whose elements have IDs of a particular length i. (The 
set <J>>g(s) contains elements having IDs of length greater than i; <J> <J (s) is defined similarly.) 
We define the special subset 

$/„,«0) = {max($; | $,- ^ <f>)} 

as that subset of <I> whose elements have IDs of maximal length. FinallyPwe are in a position 
to define C 1 as 

c 1 = {sef\ |$,„„( S )| =1} 

i.e. TC 1 is the set of states in which there is just one element in $ whose ID is of maximal 
length. 

Having defined the relevant state setsFwe now formally describe the phases of our proof; 
they are summarized in Figure 6-1. 

The first statement states that starting from a start stateFa forest-defining state is reached 
within time 3; the second statement states that once a forest- defining state is reachedrthe 

52 



state always defines a forest. The last statement states that once a "good" state is reachedr 
within time 26 the state defines a spanning tree. 

By combining the statements above using Theorem 2.11 and Corollary 2.12rwe obtain 

,-r- 81(5+36 n 

J- — > y 

0.025 



and consequently 



^ 83(5+39 f,^. 
0.025 



Using the results of the proof summary aboveLwe can derive an upper bound of O(diameter) 
on the expected time required to reach a state of ST starting from a state of S. 

Theorem 6.2 Under any fair adversary, starting from any start state, the automaton RSST 
that implements our randomized self-stabilizing spanning tree algorithm reaches a state defining 
a spanning tree within expected 0(6) time. 

Proof. Departing from a state in TV RSST reaches a state in Q in time (at most) 81<*>+36 
with probability at least 0.025. Consider an execution of RSST starting from a state s in 
.FLand consider successive epochs of duration 81<*>+36. In the first epochrthe probability of 
attaining membership in Q ("success in the first epoch") is at least 0.025. Since T is closedr 
the probability of success in every such epoch is at least 0.025. Hencerthe expected number of 
epochs needed to attain success has an upper bound of [1/0.025] Tor 40. HenceLstarting from a 
state in .FLthe expected time taken to reach a state in Q has an upper bound of 40* (81<*> + 36)L 
which is 0(6). Since S — ► T and Q — ► STTthe expected time to reach a state in ST starting 
from a state in S is 0(6). ■ 

We now proceed with the details of the proofTi.e. the proofs of the probabilistic statements 
given above. Let A G Fairadvs be a fair adversary for RSST. Let z G S be an arbitrary starting 
state. Let H denote the execution automaton iT(RSST,yl, z). Let a' denote an execution of 
i/Tand let a be the corresponding execution a' { of RSST. 

53 



In Section 6.3rwe prove the statements S — ► .FEF — > J-^YJ- — > C = L)C 1 Y&nd Q — > ST. 
The statement C = — > C 1 is proved in Section 7rand the statement C 1 — ► Q is proved in 

2/9 r 0.11 ^ 

Section 6.4. 



6.3 Stabilization of Forest Structure, Candidate Root Proper- 
ties 

In this section we prove the statements S — > TYT — > J-\b\TT — > C = U C : rand Q — > ST. 

6.3.1 Forest Structure - Establishment and Preservation 

Each node v maintains an "opinion" of the values of the shared variables of its neighbors in 
its own local variables. Claim 6.3 states that after time lTthis "opinion" must have actually 
been read from the neighborsri.e. it is no longer arbitrarily set in the start state. 

Claim 6.3 For any s such that s.now > 1, s.VAR uv = s'.VAR v for some s' preceding s in a, 
where VAR is one of {ID, distance, parent}. 

Proof. Within time lTnode u will have performed COPY-NBRSut, for all neighbors fFand 
hence will have read the local variables of all its neighbors at least once. ■ 

Claim 6.4 and Lemma 6.5 show that the priority (defined as the tuple (IDTdistance)) of a 
node cannot decrease (in terms of the order <C defined on priorities; cf. Definition 5.1); if it 
changesrit can only increase. 

Claim 6.4 For any step (s, EXTEND-LL\, (fi, S, P)) of RSST, for any state s' G fi, 

ID 

s.ID u <s'.ID u . 

Proof. Follows directly from Proposition 4.4(1). ■ 

54 



Lemma 6.5 For any step (s, a, (0, X, P)) o/ RSST, /or any s' G 0, 
s.(ID u , distance u ) <C s'.(ID u , distance u ). 

Proof. The only actions which change (ID U , distance u ) are MAXIMIZE-PRIORITY u and 
EXTEND-ID U . If MAXIMIZE-PRIORITY„ is executedL only statements [F]L[G] and [H] 
are capable of changing (ID U , distance u ). Let the "intermediate" value of ID U after executing 
statement [F] be I; then s.ID u ■< I. If [G] is executedLthe value of (ID U , distance u ) cannot 
decreaser because of the direction of the precedence test. [H] leaves ID U intact and sets 
distance u to 0; thus s.ID u ■< I = s'.ID u and s.distance u > s' .distance u T and so the priority 
(ID U , distance u ) cannot decrease. By Claim 6.4LEXTEND-ID U increases ID u T&nd therefore 
increases the priority (ID U , distance u ). ■ 

Corollary 6.6 For all s and s' such that s precedes s' in a, 

s.(ID u , distance u ) <C s'.(ID u , distance u ). ■ 

Since priorities do not decreaserthenrby Claim 6.3rpriorities as observed by neighbors do 
not decrease: 

Corollary 6.7 For any node u, any v, the value of (ID UV , distance uv ) cannot decrease after- 
time 1. ■ 

We now establish that in any executionFany state after time 2 belongs to the set .7-Tand 
thus defines a forest. 

Lemma 6.8 For all s such that s.now > 2, each node u obeys the priority invariant: 
(parent u = v) =^ (ID U , distance u ) <C (ID UV , distance uv ). 

Proof. Consider any node u which is a child of node v in some state s such that s.now > 2; 
thus s.parent u = v. Node u last executed the statement (parent u <— v) in [G] at some step 
(s 1 MAXIMIZE-PRIORITY tl B 2 )L where (s.now - 1) < s 2 .now < s.now. By [G]Lwe have 
s 2 .(ID u , distance u ) = Si.(ID uv , distance uv + 1). Since Si precedes sin a and Si.now > lLby 
Corollary 6. 71?Si. (ID UV , distance uv ) <C s.(ID uv , distance uv ). HenceLwe have: 

55 



s.(ID u ,distance u ) = s 2 .(ID u , distance u ) 

= Si.(ID uv ,(distance uv + 1)) 
<C Si.(ID uv , distance uv ) 
<C s.(ID uv , distance uv ) 
Hence s.(ID u , distance u ) <C s.(ID uv , distance uv ). ■ 

Corollary 6.9 For all s such that s.now > 1, for any node u and any v G Nbrs(u), 
s.(ID uv , distance uv ) <C s.(ID v , distance v ). 

Proof. Let the last COPY ut , step executed by u be (si,COPY u „, s 2 ). Then s.(ID uv , distance uv ) = 
s 2 .(ID uv , distance uv ) = Si.(ID v , distance v ). Since Si precedes s in aT by Corollary 6.6r 
Si.(ID v ,distance v ) <Cs.(ID v ,distance v ). Hence s.( ID uv , distance uv ) <Cs.(ID v ,distance v ). ■ 

Corollary 6.10 T C T' . 

Proof. Let s G T . By the definition of .FPfor any u, v such that v = parent u Ts.( ID u , distance u ) 
<C s.(ID v , distance v ). Since each node must have a strictly lower priority than its parentLs 
cannot contain a cycle. ■ 



Proposition 6.11 S — > T . 



Proof. Immediate from Lemma 6.8 and Corollary 6.9. ■ 

Proposition 6.12 T — ► J-\°\. 

Proof. Let (s,a, (0, S,P)) be a step of RSST. Let s G J-T and let s' G fi. We need to show 
that s' G T . Recall the definition of T: 



T = < 



s I \/u,v, 



1. v = s. parent u =>■ s.(ID u , distance u ) <C s.(ID uv , distance uv ) 

2. v G Nbrs(u) =>■ s.(ID uv , distance uv ) <Cs.(ID v , distance v ) 

56 



The only variables that determine membership in T are parentT IDT and distance (both local 
and shared copies). Thus the only actions that can change membership in T are COPYr 
MAXIMIZE-PRIORITY and EXTEND-ID. 

Case 1 a = COPY u „. 

The only relevant effect is that s'.(ID uv , distance uv ) = s'.(ID v , distance v ); thus predicate 

2 of the definition of T holds for u. If v = parent U T then 
s'.(ID u ,distance u ) = s.(ID u ,distance u ) 

<C s.(ID uv , distance uv ) (since s G T) 

<C s' .(ID uv , distance uv ) (by Corollary 6.7) 

Hence s'.(ID u , distance u ) <C s'.(ID uv , distance uv )T and predicate 1 holds. Since no other 

node predicates are affectedIV £ T . 

Case 2 a = MAXIMIZE-PRIORITY,, . 

The only variables set are ID U T distance u T and parent u T so we only need to check that 
in state s'Tu satisfies predicate IT and that all neighbors of u satisfy predicate 2. Ei- 
ther statement [G] or [H] of MAXIMIZE-PRIORITY^ must be executed. If [G] is 
executedrs'. (ID U , distance u ) = s' .(ID ul ,(distance ul + 1)) <C s' .(ID ul , distance ul )T where 
I = s' .parent u . Hence u satisfies predicate 1. If [H] is executedr u trivially satisfies 
predicate 1 in s' . For any v G Nbrs(u)T 

s'.(ID vu ,distance vu ) = s.(ID vu , distance vu ) 

<C s.(ID u ,distance u ) (since s G T) 
<C s'.(ID u ,distance u ) (by Corollary 6.6) 
Thus any neighbor v satisfies predicate 2rand hence s' G T . 

Case 3 a = EXTEND-ID,,. 

If ID U is extendedr^ G p(s')Tso u trivially satisfies predicate 1 in state sTand since 
s G J-Tu satisfies predicate 2 in s' . By an argument identical to that for Case 2rall 
neighbors v of u also satisfy the predicatesFand so s' G T . ■ 

57 



Henceforth in the proof, for all states mentioned we will assume that s G T. 
Thus each state under discussion defines a forest. 

We now show that the set of root nodes p(s) can only diminish with time — a root may 
become a nonrootTbut not vice- versa. 

Lemma 6.13 p(s') C p(s) for all s,s' such that s' follows s in a. 

Proof. Suppose notTi.e. suppose 3u such that u G p(s') but u G - p(s). Then s'. parent u = nil 
and s. parent u ^ nil. Hence there must exist a step (s 3 rMAXIMIZE-PRIORITYt,Ls 4 ) in aFsuch 
that s 3 . parent u ^ mlT s 4 . parent u = niirand [H] was executed in MAXIMIZE-PRIORITY u . 
Let s 3 .parent u = v. From the test that causes [H] to be executedr s 3 .(ID uv , distance uv ) 
<Cs 3 .(ID u , distance u ). (Note that since s 3 .parent u ^ niir[F] was not executed in this step.) 

But since s 3 . parent u = vTthere must exist a preceding step (s 1 rMAXIMIZE-PRI0RITY t ,r5 2 ) 
in which (s 2 .(ID u , distance u ) = s 3 .(ID u , distance u )) and parent u was set to v. Since [G] was 
executed in this stepTs 2 .(ID uv , distance uv ) ^> s 2 .(ID u , distance u ). By Corollary 6.7r 
s 3 .(ID uv , distance uv ) ^> s->..(ID uv , distance uv ). 

Hence s 3 .(ID uv , distance uv ) ^> s 3 . ( ID u , distance u )T which contradicts the earlier assertion. 



6.3.2 ID Overrunning Properties 

We now show that nodes must "learn" about "high" IDs existing in the network within 26 
time — the smallest ID in the network after time t + 26 is at least as large as the highest ID at 
time t. In this senserhigh IDs "overrun" lower IDs. 

Lemma 6.14 Let D\st(u,v) = d. For any state s, there exists a state s' following s such that 
s' .now < s.now + 2d and s' .(ID,,, distance,,) ^> s.( ID,,., (distance,,, + d)). 

Proof. By induction on d. 

58 



FirstTlet d = 0. u is the only node a distance of from itself. Substituting d = in the 
statementTit can be seen to be trivially true (V = s). 

Now for the inductive steprfor any node v such that Dist(M, v)=kT&ssume that there exists 
s' such that s' .now < s.now -\-2k and s'.(ID v , distance v ) >> s.(ID u , (distance u +k)). Consider 
a node w such that D\st(u,w) = k + 1. We need to show that there exists s" such that 
s" .now < s.now + 2(k + 1) and s".(ID w , distance w ) ^> s.(ID u , (distance u + k + 1)). 

Node w must then have a neighbor f such that Dist(M, v)= k. By the inductive hypothesisr 
there exists a s' such that s' .now< s.now -\- 2k and s' .(ID,,, distance,,) >> s.( ID,,., (distance,,, + 

*))■ 

Now there must exist a step (s^COPY^, s 2 ) at some time after (s.now + 2&) and upto 
(s.now -\- 2k -\- l)Tsince our adversary must allow w to execute every action in every unit of 
time. Since Si. now > s' .nowTby Lemma 6.5rsi. (ID V , distance v ) J|>_ s'.(ID v , distance v ). Hence 
s^ .(ID,,, distance,,) >> s.( ID,,, distance,,, -\-k). Hence s 9 .( ID,,,,,, distance,,,,,) >> 
s.(ID u , (distance u + k)). 

There must exist another step (s 3 ,MAXIMIZE-PRIORITYu, , s") at some time after (s.now-\- 
2k-\-l) and upto (s.now-\-2k-\-2). By Claim 6.7Ts 3 .(ID wv , distance wv ) ^> s 2 .(ID wv , distance wv ). 
After statement [E] of MAXIMIZE-PRIORITY^T (ID wh distance^) > (ID,,,,,, distance,,,,,). 
Either statement [G] or [H] must be executed. If [G] is executedTs" .(ID W , distance w ) 
= s 3 .(ID wl ,(distance wl + 1)) J^s 3 .(ID wv ,(distance wv + 1)) J^s 2 .(ID wv ,(distance wv + 1) 
>> s.(ID u , (distance u + k + 1)). Hence there exists s" such that s" .now <( s.now + 2k + 2) and 
s".(ID w , distance w ) ^> s.(ID u , (distance u + k + 1)). 

If [H] is executedriet the intermediate value of ID U after executing [F] be /. ThenPsince 
[H] is executedrs". (ID W , distance w ) = (1,0) 

59 



>> (I , s 3 .distance w ) 
> s 3 .(ID wl , distance wl ) 
^> s 3 .(ID wv ,distance wv ) 
^> s 2 .(ID wv , distance wv ) 
^> s.(ID u , distance u + k) 
>> s.(ID u , distance u + k + 1). 



Corollary 6.15 Let D\st(u,v) = d. For any state s, for all states s' such that s' .now > 
(s.now + 2d), s'.(ID v , distance v ) >> s.(ID u , distance u + d). 

Proof. Immediate from Lemma 6.5 and Lemma 6.14. ■ 

Corollary 6.16 Let D\st(u,v) = d. For any s, there exists s' following s in a such that 
s' .now < s.now + 2d and s'.ID v y s.ID u . ■ 

Definition 6.17 (MAXID) Given a state s G C= , s. MAXID = max(((s)). 

Corollary 6.18 For any s, there exists s' following s in a such that s' .now < s.now + 26 and 
Vm G V, s'.ID u y s. MAXID. For all s" such that s" .now > s.now + 26, s".ID u h s. MAXID. 



6.3.3 Candidate Root Properties 

We first state a very important property of the set 3>(s). In effectLthe ID of each root in 3>(s) 
is a prefix of the highest such ID. 

Observation 6.19 For any s and any u, v G 3>(s), 

W 

1. idlength(s./D u ) < idlength(s./D„) =>- s.ID u ■< s.ID v . 

60 



2. idlength(s./D u ) = idlength(s./D„) =>- s.ID u = s.ID 



v • 



Proof. If u, v £ 3>(s)rby the definition of <J>(s)Lit cannot be the case that ID U -k ID V or 

S WW 

ID U y ID V . Hence ID U = ID v Tor ID U -< ID v Tor ID U y ID V . Hence idlength(s./D u ) < 

W 

idlength(s./D„) must imply ID U -< ID V T and idlength(s./D u ) = idlength(s.TD^) must 
imply ID U = ID V . ■ 

Consider any root node r. The following lemma states that as long as r stays a rootTits 
ID can only change by extension (only by invoking the call Append- EntryQ through actions 
MAXIMIZE-PRIORITY r or EXTEND-ID r ). 

Lemma 6.20 Let s,s' be any states such that s' follows s in a. 

w 

If re (p(s) n p(s')), s.ID r < s'.ID r . 

Proof. Consider a node r £ (p(s) fl p(s')). Let a x be the execution fragment sa,\S\ . . .a,is'. If 
there exists a state s, G a x such that r (j£ p(sj)rthen r (j£ p(s') by Lemma 6.13. Hence r £ p(si) 
for every state s, in a^. 

Hence for every step (s,, a, (0, S, P)) in a^Lfor every state Sj in fiLs,. parent r = Sj .parent r = 
nil. Thus in action aLstatement [G] of MAXIMIZE-PRIORITY r could not have been executed. 
Hence the only way ID r can change is through the call to Append- EntryQL made by [F] of 
MAXIMIZE-PRIORITY r or by EXTEND-ID r . By Proposition 4.4(l)Lfor every such s,- and 

W WW 

SjTsi.ID r ■< Sj.ID r . By transitivity of ■< Lit follows that s.ID r ■< s'.ID r . ■ 

The following is a crucial property of our algorithm. To ensure fast progressLwe want 
to ensure that if a root r\ has an ID that is smaller than that of another root r 2 L then the 
relationship will stay that wayLeven if the two roots never communicate directly. We can 
ensure this only if r 2 's ID is higher in the strong sense. 

Lemma 6.21 For all s,s' such that s' follows s in a, 
ifr 1 ,r 2 e(p(s)np(s')),s.(W rl < ID r2 ) =^ s'.(W rl < ID r2 ). 

61 



Proof. Immediate from Lemma 6.20 and Proposition 4.4(5). ■ 

We now show that the set $ is the set of roots that have a chance of "surviving" - a root 
not in this set cannot be the root of the final spanning treeLand will definitely be overrun by 
some other tree. We now have a "competition" between roots in the forest. The "winner" of 
the competition will be the root of the eventual spanning tree. The set $ is the set of roots 
still in the fray; all other roots have "lost" and will be overrun. All roots change their IDs only 
by extension (unless they cease to be a root)Land by changing their ID they may lose their 
membership in $. 

Lemma 6.22 For all s,s' such that s' follows s in a, <J>(s') C 3>(s). 

Proof. Suppose not. Then there exists a node r such that r £ <J>(s') but r £" 3>(s). Since 
r £ p(s')Tby Lemma 6.13 r £ p(s). By the definition of <J>(s)Lthere exists some node q £ 3>(s) 
such that s.ID r -k s.ID q . But by Corollary 6.6Ts.ID q ■< s'.ID q . Hence by Proposition 4.4(3)L 

s w s 

s.ID r < s'.ID q . By Lemma 6.20Ts.ID r < s'.ID r . Applying Proposition 4A(4)Ts' JD r < s'.ID q . 
Thus r £" <i>(s')Lcontradicting our earlier supposition. ■ 

Proposition 6.23 states that if in some state s the set $ has just one memberLa state s' 
defining a spanning tree is reached within 26 time. 

26 
Proposition 6.23 Q — > ST 

Proof. Let s be a state in Q . By Corollary 6.18Lthere exists a state s' following s such that 
s'.now < s.now + 26 and for all u £ VTs'.ID u y s.MAXID. 

We have |3>(s)| = 1; thereforeLa unique node r has the maximum ID in s. Consider any 
node q ^ r in p(s). By definition of &(s)Ts.ID q -< s.ID r . Now if q £ p(s')Tby Lemma 6.20L 

w ... s 

s.IDq < s' .ID q T which implies s'.ID q -< s.ID r by Proposition 4.4(4). But this contradicts our 
choice of s'Lsince s' was chosen such that s' .ID q y s.ID r . Thus any node q ^ r in p(s) cannot 
be in p(s'). Since p(s') C p(s) by Lemma 6.13Lit follows that p(s') = {r}Land so s' £ ST. ■ 

62 



Proposition 6.24 T -^ C= U C 1 



Proof. Let s G T . Consider any execution a = sa 1 s 1 a 2 s 2 . . .; let fj, = s.MAXID. By Corollary 
6.18rthere exists a state s k following s in a such that s k .now < s.now + 2<Tand for all u G VT 
s k .ID u y fj,. Consider the execution prefix a x = saiSia 2 ■ ■ .s k of a. We show that there must 
exist some state s' in a x such that s' G C = U C 1 . For all u in §(s k )Ts k .ID u y fj,. Consider the 
following mutually exhaustive possibilities for &(s k ): 

Case 1 For all u G §{s k )Ts k .ID u = fj,. 
Then s k G C = Land we are done. 

Case 2 For some u G §{s k )Ts k .ID u y fj,. 

Since &(s k ) C <J>(s)Lby Lemma 6.22Ts k .ID u y fj, for some u G 3>(s). Since each step in 
a changes at most one IDLand since s.ID x < fj, for all x G 3>(s)rthere must exist some 
state s' in a such that there is exactly one node v G 3>(s) for which s' .ID V y fj,. Since 
3>(s') C 3>(s) by Lemma 6.22Lf is the only node in 3>(s') such that s' .ID V y fj,. Hence 
/D^ = max^ q, ,JID W )Lwhich implies that v G $/„,„(•§')• There cannot exist another 
node w G <£/„,„ (V)Lsince that would imply that s' .ID W = s'. ID t,Lwhich would violate our 
assumption that v is the only node in 3>(s') such that s' .ID V y fj,. Hence |^; raoi (s')l = ^ 
and so s' G C 1 . 

w 

Case 3 ID U y fj, for all u G < i ) (s fc )Land there is at least one node u G &(s k ) such that 

w 

s k .ID u y fj,. 

Since &(s k ) C <J>(s)Lby Lemma 6.22Lthere is at least one node u G 3>(s) such that 

w 
s k .ID u y fj,. Since each step in a changes at most one IDLand since s.ID x ■< fj, for all x G 

<J>(s)Lthere must exist some state s' in a such that there is exactly one node v G 3>(s) for 

w # s 

which s .ID V y fj,. There cannot exist a node w G 3>(s) such that s .ID W y ^Lsince that 

would imply by Corollary 6.6 that s k .ID w y s'.ID w and hence by Proposition 4.4(3) that 

s ■ w 

s k .ID w y juLwhich contradicts our assumption that s k .ID u y fj, for all u G &(s k ). Thus 

63 



for all u other than v in &(s)Ts' .ID U -< fj,. Thus $i max (s') = {u}; hence |^; raoi (s')| = 1 
and s' G C 1 . ■ 

6.4 The ID-forcing Proposition 

In this section we prove the statement C 1 — ► QTi.e.T starting from a state in which there 
is only one candidate of maximal ID lengthrwithin 26 timeLwith probability at least 0.11L 
we reach a "good" state — a state in which there is just one candidate. This is a substantial 
progress propertyr since if a state is "good" then within 26 additional time we reach a state 
defining a spanning tree. 

Let s be a state in C : Land let H be the execution automaton #(RSST,«4, s). Let fi' be 
a maximal execution of i/Tand let fi = fi 1 { = sa 1 s 1 a 2 s 2 ... be the corresponding execution 
of RSST. Let l min denote min <j>, s(lDLENGTH(s.ZD u ))rand let l max be defined analogously. 
Thus all nodes in 3>(s) have ID lengths between l min and l max . Let fj, = s.MAXIDLand let r 
be the unique element of 3>(s) such that s.ID r = fj,. (Since s G C 1 Tr is unique.) Thus r is the 
unique candidate root in s having the maximum ID length l max . 

By the ID overrunning propertyL Corollary 6.18Lthere exists a state s k following s in fi 
such that s k .now < s.now + 26 and for all u G VTs k .ID u y fj,. Let s k be the first such state in 
fi. Let fii be the execution prefix sa 1 s 1 a 2 s 2 . . .s k . 

We will use these definitions of sT s k T fiT fiiTl mm Tl max T iiTsu^A r throughout the rest of this 
section. 

We first give some basic definitions and observations related to these definitions. 

Definition 6.25 (Competitive and dominant nodes) Let HT sT s k T [iT f] and fii be as 

defined aboveLand let i < l max . ThenL 

• Node u is competitive at the i th position in /3Lif there exists s' G fi\ such that u G p(s') 
and s'.ID u [l..i] = fj,[l..i]. 

64 



• Node u is dominant at the i th position in fiTif there exists s' G fi\ such that u G p(s')T 
s'.ID u [l..(i — 1)] = p[l..(i — l)]rand s'.ID u [i] > p[i]. Node u is dominant before the i th 
position in fiTif there exists a j < i such that u is dominant at the j th position. 

We now state some observations arising from the above definitions. The first property 
states that competitiveness and dominance of a node at a particular position are mutually 
exclusive: 

Claim 6.26 A node u cannot be both competitive and dominant at the i th position, for any i. 

Proof. Suppose u is competitive and dominant at the i th position in fi. Since it is competitiver 
there exists s' G fi such that u G p(s') and s'.ID u [i] = p[i]. Since it is dominantTthere exists 
s" G fi such that u G p(s") and s".ID u [i] > p[i\. Clearlyrs'./D„[i] ^ s" .ID u [i\. 

Now s' must either precede or follow s" in fi. If s' precedes s'TLemma 6.20 implies that 

w 

s'.ID u ■< s".ID u T which implies s'.ID u [i] = s".ID u [i]T which is a contradiction. Similarlyrthe 
other casers' follows s'Tleads to the same contradiction. ■ 

Claim 6.27 If a node u is either competitive or dominant at the i th position in fi, it is com- 
petitive at the j th position for all j < i. 

Proof. Straightforward from Definition 6.25. ■ 

Claim 6.28 If a node u dominant at the i th position in fi, it cannot be competitive at the j th 
position for any j > i. 

Proof. Follows directly from Claims 6.26 and 6.27. ■ 

Claim 6.29 Any u G 3>(s) is competitive at the V^ m position in fi. 

w 

Proof. By the definition of pYanA by Observation 6.19Ts.ID u ■< pT&nd furtherriDLENGTH(s. ID^,) 
-^ ^mm- -tience s.±u u y±..i min ^ — ^/[i..t mm j. ■ 

65 



Corollary 6.30 No node u G 3>(s) is dominant before the {l min + l) th position in (3. 

Proof. Follows directly from Claims 6.28 and 6.29. ■ 

Definition 6.31 (Competitive and dominant executions) Let HTsTs k T/2T[3 and f3 x be 
as defined above. Thenr 

• Execution (3 is competitive at the i th position if no node is dominant before the (i + l) th 
position. 

• Execution (3 is dominant at the i th position if no node is dominant before the i th position 
and there exists u G 3>(s) such that u is dominant at the i th position. ■ 

Claim 6.32 An execution (3 cannot be both competitive and dominant at the i th position, for 

any i. 

Proof. Follows directly from Definition 6.31. ■ 

Claim 6.33 Let i < l max . If [3 is competitive at the i th position, it is either competitive or 
dominant at the (i + l) th position. 

Proof. Since (3 is competitive at the i th positionFno node is dominant before the (i + l) th 
position. If some node is dominant at the (i + l) th positionF/3 is dominant at the (i + l) th posi- 
tion. OtherwiseFno node is dominant before the (i + 2) th positionFand hence (3 is competitive 
at the (i + l) th position. ■ 

Having described competitive and dominant executionsFwe now define the corresponding 
events of H . 

Definition 6.34 (Competitive and dominant events) Let H T sT and SjTbe as defined 
above. Fhenr 

• Fhe event e^T "competitiveness at position iY is defined as 

e)j = {/3| G Q-TT | [3 is competitive at the i th position} 

66 



• The event e^ consists of those executions in e c ) in which exactly j nodes in 3>(s) are 
competitive at the i th position. 

• The event e^T "dominance at position iY is defined as 

e'p = {/3f G Q-ff | P is dominant at the i th position} 

• The event eg is defined as a subset of the set of executions in which a state in Q is reached 
within time 2S; in particularr 

e g ± {{!] e % | s k (p) e G} 

We now state some important properties of events. 

n 

Claim 6.35 e [ § = \Je [ ^ j] . 
i=i 

Proof. From the definitions (recall that n is the size of the network). ■ 

Claim 6.36 For any i < l max , e c j n e)j = <f>. 

Proof. Follows from Claim 6.32. ■ 

Claim 6.37 For any i < (l max - 1), e£ +1] ,e£ +1] C e [ §. 

Proof. Follows from Definitions 6.34 and 6.31. ■ 

Claim 6.38 For any i < (l max - 1), e [ § = e£ +1] U e£ +1] . 

Proof. By Claim 6.37r4 +1] U 4 +1] C e [ §. By Claim 6.33Te [ § C e£ +1] U e£ +1] . Hence follows. 



Claim 6.39 ^ # = 4""" ] - 



67 



Proof. Consider any execution fi\ £ ^77 • From Corollary 6.30Ht follows that fi is competitive 
at the V^ m position. ■ 

Claim 6.40 ^ = e^" +1] U e^" +2] U e^" +3] U . . . U e^" -11 U e^"" 11 . 

Proof. We haver 

tt-jj = e l c m " ] (Claim 6.39) 

= e£"" +1] U e^-" +1] (Claim 6.38) 

= e [ l"" n+1] U e ^-" +2] u 4"- +2] (Applying Claim 6.38 again) 

= e [ l"" n+1] U e ^-" +2] u . . . U e ^"- 1] u e^."" 1-11 (Inductively applying Claim 6.38) 



Note that Claim 6.40 defines a partition of Q-jf- 

Definition 6.41 Node u flips at the i th position in fiTif in fii there exists a step (s', a, s") such 
that in aTu makes a call to Append- Entry which appends an entry to ID U at the i th position. 

Lemma 6.42 Let fi £ efj . For any u £ $>(s), i/idlength(s./D u ) < i, and if u is competitive 
at the i th position in fi, then u flips at the (i + l) th position in fi. 

Proof. Consider fii = sa 1 s 1 a 2 . . .s fc . Since u is competitive at the i th position in fiTthere 
exists a a, £ fi such that u £ p(si) and Si.ID u [l..i] = fj,[l..i]. Alsorby the definition of s k T 
s k .ID u y p. Nowrby Lemma 6.20TID U can only change by extension in saiSia 2 ■ ■ .s k Tso we 
can choose s, such that Si.ID u = /i[l..i]. 

Consider the suffix of the execution that starts with s,. The only way ID U can change 
between s, and s k is by executing calls to Append- Entry or by executing statement [G]. If 
Append-Entry is performed firstTan entry is appended at the (i + l) th positionFso we are done. 
If [G] is executedrthere exists a node / such that ID u i y ID U . By Claim 6.3TID ul = ID\ for 
some preceding state. Since fi £ efjYl is not dominant before the (i + l) th positionFand hence 

W 

ID\[l..i\ = fi[l..i]. Hence ID U -<; ID U IT said so the call to Append-Entry in [F] must have been 
executed firstTin which case u would have flipped at the (i + l) th position. ■ 

68 



Lemma 6.43 For any i < l max , e c f C eg. 

Proof. If fi G e c f Tno node is dominant before the (i + l) th positionLso for any u G ^(sjjL 
s k .ID u [l..i] = fj,[l..i]. But then any such node is competitive at the i th positionLand there is 
only one such nodeLsince fi G eft . Hence |<i>(s fc )| = lLand so s k G Q. ■ 

We now ListLwithout proolTsome basic results of conditional probability: 
Proposition 6.44 Let A, A i} B, B i} and X be events on a sample space. Then, 

k 

1. IfA=\J Ai, then P(X \ A) > min^ P(X \ A,-). 

8 = 1 

k 

2. IfAc\J Ai, then P(X \ A) > min^ P(X \ A n A,-). 

8 = 1 

k k 

3. Let \J Ai C A. If P((\J Ai) \ A) = p, and if P(X \ Af) = Pi , then 

8=1 8=1 

P(X I A) > p X mmi{pi}. m 

Lemma 6.45 For any i such that (l mm + 1) < i < l max and any j > 1, P(eg \ e)j n e c 7 Jj ) > 

1/2. 

Proof. Consider any execution fi G e D } f] efT . Since fi G efT J T there are j nodes com- 
petitive at the (i — l) th position. Of these j nodesrthere are exactly |$ > ( ! -_i)(s)| nodes u 
such that idlength(s./D u ) > (i — l)Tand consequently k = j — |$ > ( ! -_i)(s)| nodes such that 
idlength(s./D u ) < (i — 1). Thus by Lemma 6.42Leach of these k nodes must flip at the i th 
position. Hence V\ M describes the sample space corresponding to these k flips. If fi G e)jT 
there exists a flip higher than fj,[i]. If exactly one of these flips is the highestLthen ft G eg. 
ThusL 

P(e g | eg n 4~ 1,i] ) > P r ,(UNIQH | (Highest > /x[i])) > 1/2, 

by Theorem 4.2. ■ 

Theorem 6.46 For any i such that (l mm + 1) < i < l max > P( e g I 6 d) — 1/2- 

69 



Proof. We have e)j C e^ by Claim 6.38. Thus by Claim 6.35r 

n 

eg c U4" 1J] 

i=i 
which impliesrby Proposition 6.44(2)Lthat 

P(e g \e [ S) > mmP(e g \e [ Sne [ ^). 
j 

Since by Lemma 6.45 P(e g | eg n 4~ 1,i] ) > 1/2 for all jTit follows that P(e g | eg) > 1/2. ■ 

Lemma 6.47 For any j > 1, P((eg"" ] U 4™"' 1] ) | e £"" I ~ 1 "' ] ) > 0.22. 

Proof. Consider any fi £ e c .""~ . There are j nodes competitive at the (l max — l) th position; 
of theseLlDLENGTH(s. ID r ) > l max - 1 for exactly one node rLand thus idlength(s. ID„) < 
l-max — ^- f° r exactly (j — 1) nodes u. Thus by Lemma 6.42 these (j — 1) nodes must flip at the l^ ax 
position in /3Land the sample space T : ^~ M describes these flips. The event e£" is equivalent to 
the event (Highest > [i[l max ]). The event e c ma " is equivalent to the event (Highest < fJ,[l max ])^' 
since one node r is already known to be competitive at the l^ ax position. ThusL 

P((eg"" ] U el~"' 1] ) | elr-- 1 ^) = P^Highest ± fi[l max \) > 0.22 

by Theorem 4.3. ■ 

Theorem 6.48 P(e g \ e£""" _1] ) > 0.11 

Proof. Consider the event e c m "~ ' . 

By Lemma 6.47LP((eg"" ] U 4™"' 1] ) | e £"" I ~ 1 "' ] ) > 0.22. ThusLwe have 

p((e ^„] ne ^„-i, J 1 )u(e ^„,i] ne ^„-i, J 1 )|e ^„-i, J ] ) > _ 22 

AlsoLby Lemma 6.45L 

P(e |eg-» ] ne^»- lj] )>l/2 

70 



and by Lemma 6.43r 

P(e g | (4- 1] n eP-- 1J " ] )) = 1. 

Hence applying Proposition 6.44(3)Twe have 

P(e |4" , "- lj] )>(O.22)(l/2) = O.ll. 

n 

Now by Claim 6.35Te l c m "~ 1] = \J e£"" I_1 "' ] . Thus by Proposition 6.44(l)r 

i=i 

P(e g \e [ c m "~ 1] ) > minP(e g | e^"" 1,i] ) > 0.11. 



.26 
Proposition 6.49 P(e g \ Sl-jr) > 0.11, or equivalently, C 1 — > Q . 

Proof. By Claim 6.40rfi-^- = e l"" n+1] U e £"- +2] u e £"- +3] u . . . U e [ ^"~ l] U eg."" -11 . By Theorem 
6.46rP(e I e [ S) > l/2rand by Theorem 6.48rP(e | e^."" 1-11 ) > 0.11. Hence applying 
Proposition 6.44(1)T 

P(e g I fly) = P(e g I e^ U e^ U . . . U eg,— 1 ' U C&— ^ 
> min(l/2, 1/2, ...,1/2, 0.11) 
= 0.11 



71 



72 



Chapter 7 

Correctness and Complexity Proof: 
Part 2 — The Coloring Algorithm 



In this section we prove the Tree Detection PropositionLC = — > C 1 (Proposition 7.80). Thusr 
starting from a state in C = Lwithin time 77S + 36rwith probability at least 2/9rwe reach a 
state in which only one candidate has the maximal ID length. This is the "tree detection" 
property — ilTin some stateLall root nodes in the network have equal IDsrthenrbecause of the 
coloringrthe competition makes "progress" within expected O(S) time. 

The overall strategy of the proof is as follows: We first showrin Lemma 7.1Lthat starting 
from a state s £ C = Lany execution fragment a must remain in C = until a state in C 1 is 
reached. Thusrto show the partial progress properties of the coloring algorithmLwe consider 
an execution fragment a x in C = . NextLin Section 7.1Lwe show that within time 28 + 1 in o^La 
state defining a "stable forest" is reached. (We denote the set of states defining a stable forest 
by Cg F .) Let a 2 be any execution fragment in Cg F . The graph of parent pointers remains 
fixed in Cg F ; the network can thus be visualized as a collection of "fixed" trees over which the 
coloring algorithm runs. 

When a state in Cg F is reachedLthe coloring variables (i.e.L colorT mode) may be in an 
inconsistent state — normal "broadcast" and "echo" waves (cf. Section 5.1) may not be able to 

73 



commence immediately. Section 7.2 shows that within time 178 + 7 in a 2 La state is reached in 
which the coloring variables become consistent. (C^ c is the state set consisting of such states.) 
The coloring algorithm can proceed normally in any execution fragment a 3 in C^ c . 

Let a 3 be a fragment in C^ c . For any tree T r Ta 3 can be partitioned into coloring epochs for 
T r . In each coloring epoch 7 in C^> c Lthe root color is propagated to all nodes in T r (through 
a "broadcast wave")rand the root waits for all nodes in its tree to echo before choosing a new 
color and initiating the next coloring epoch. If a node with a non-zero color in some tree T 
notices that a neighbor has a non-zero color different from its own colorrit sets other-trees 
to truer and this information is propagated to its root. (It is "piggy-backed" on the "echo 
wave"; its ancestors successively set their other-trees to true while echoing.) After a root sets 
other-trees to trueLit extends its IDLthus reaching a state in C 1 . 

As discussed in Section 5.1Lwhen a node receives a new non-zero color it waits until 1) 
it has observed a non-zero color for each of its neighborsLand 2) each neighbor has observed 
its own color. Section 7.2.2 and Lemma 7.61 show that a node cannot be "blocked" by its 
neighbors in this fashion for more than 10<*> + 5 time. Based on this resultLa coloring epoch 
cannot last more than 13 S + 6 time. (Note that the individual node "waits" are not dependent 
on each other; they can overlap.) 

Each coloring epoch in C^ c gives a tree at least one "opportunity" to detect neighboring 
treesLand each epoch lasts at most 13 S + 6 time. Section 7.3 formalizes this notion. If T and 
T are neighboring treesLwe show that starting from a state in C^j> c Lat least one of the two 
trees must detect the existence of the other within time 58<*> + 28Lwith probability at least 2/9. 
When this information is conveyed to the root of the "noticing" tree shortly thereafterLthat 
root extends its IDLand a state in C 1 is reached. Since the total time elapsed starting from a 
state in C = would then be 77<*> + 36Lthe Tree Detection Proposition (Proposition 7.80) follows. 

We now proceed with the details of the proof. 

Lemma 7.1 Let a = So a i s i • • - s k be an execution fragment of RSST, and let s £ C = . Then, 
unless a state in C 1 is reached in a, the following conditions hold for all states s in a: 

74 



i. sec= 

2. $(s) = $(s ) 

3. s.MAXID = s .MAXID. 

Proof. Consider any step (s,a, s') such that s G C = . Since C = C J-T by the definition of TV 
s.ID uv < s.MAXID for every ulb. Let u be the node executing action a. Then there exist two 
possibilities: 

Case 1 u G - <J>(s). 

Then u G - <J>(s') by Lemma 6.22Land since all other IDs are unchangedL(l) s' G C = L(2) 
$(s') = $(s)Land (3) s'.MAXID = s.MAXID. 

Case 2 u G $(s). 

Then m must be in />(s')Lsince otherwise u must have executed statement [G] in MAXIMIZE- 
P RIO RITY u r which would imply that there exists a node / such that s.ID u i y s.ID u T 

w 

which is impossible since s G J- &nd s.ID u =s.MAXID. Thus by Lemma 6.20Ts.ID u ■< s'.ID u . 

If s.ID u = s'.ID u T(l) s' G C=L(2) $(s') = $(s)Land (3) s'.MAXID = s.MAXID. If 

w 
s.ID u -< s' .ID U T then since the IDs of all other roots in $ are unchangedLs' G C . 

By induction on the steps in oTthe Lemma follows. ■ 

The following definition makes it convenient to describe progress properties of executions 
starting from a state in C = . By Lemma 7.1Lsuch an execution must either reach a state in C 1 
or remain in C = . ThusLprogress towards a subset U' of C = can be described in terms of the 
following notation: 

Definition 7.2 If U and U' are state sets, then 



U=^ U' = U -U U'U c 1 



75 



Recall from Section 2 that set Pis c/osedTwritten U — ► P [sir if for any s G P and any 
step (s,a, (0, S,P))rO C P. We now give an analogous definition for analyzing the coloring 
algorithm: 

Definition 7.3 P =>■ U\°\, if for any s G U and any step (s, a, (0, X, P)), C P U C 1 . 

Thus if P =>■ PsTany execution fragment beginning with a state in P remains in P until 
a state in C 1 is reached. 

7.1 Forest Stability 

We now define a very important notionrthat of a "stable forest." In order for the recoloring 
algorithm (used to detect other trees) to succeed in 0(6) expected timerthe forest structure 
must be "stable" while the algorithm is operatingri.e.Tthe parent pointers remain fixed. We 
now precisely define the set Cg F of states defining a stable forest. We then show that starting 
from a state in C = Twithin time 2^+lTunless a state of C 1 is reachedra state defining a stable 
forest is reached. 

Definition 7.4 (Cg F ) The set Cg F ("SF" for "Stable Forest") is the set of all states s G C = 
for which the following conditions hold for all nodes u: 

1. s.ID u = s.MAXID, 

2. u G p(s) =>■ distance u = 0, and 

3. (parent u = v) =^ 

• distance uv = distance v , 

• distance u = distance v + 1, and 

• v = m&x xeNhrs ( u) {x | (ID X , distance,,) = max^M^) (ID w ,distance w )} ■ 

Lemma 7.5 For any step (s, a, (0, S, Pj) such that s G Cg F and for any s' G 0, for all u and 
v, s. (parent u = v) =^ s' .(parent u = v). 

76 



Proof. Let s' G 0. The only action a that could change parent u is MAXIMIZE-PRIORITY u . 
Since s G Cg F T for any w G Nbrs(u) such that w 7^ s. parent U T s.( ID uw , distance uw ) <C 
s.(ID w ,distance w ) = (s.MAX\D,s.distance w ). Thus if f = s. parent U T (ID uv , distance uv ) = 
max^gjvirs^) (ID ux , distance ux ). Hence / is set to v in [E]L[F] does not change ID^Land [G] 
ensures that s' . parent u = v. ■ 

Lemma 7.6 Cg F =>■ C^Isl. 

Proof. Let (s,a, (0, S,P)) be a step such that s G Cf F . Let s' G fiLand let a be performed 
by u. Since membership in Cg F is determined by the variables IDT distance and paren^Lthe 
actions DETECT-TREES and NEXT-COLOR cannot change membership in Cg F . Consider 
the fohowing remaining possibilities for a: 

Case 1 a=C0FY uv . 

The only statement of interest is [A]; by clause (3) of the definition of Cg F Tdistance u , parentu 
must remain unchangedLand s' G Cg F . 

Case 2 a =MAXIMIZE-PRIORITY tl . 

If u G p(s)r[H] is executedLand s' G Cg F . If u G - p(s)riet v = s. parent u . Then [E] sets / 
to tT[F] has no effectLand [G] preserves the values of ID U T distance u and parent u . Thus 
s G C SF . 

Case 3 a =EXTEND-ID U . 

If ID U is extendedLthen s' G C 1 . ■ 

Lemma 7.7 C = =/- Cg F . 

Proof. Let s G C = Land consider any execution fragment a = s aiSia 2 ■ ■ ■ a k s k in C = of 
duration > 28 + 1. Let the minimal distance of node u be defined as 



X>(m) = min Dist(w, v) 



77 



We show by induction that for any i < <Tthere must exist a state s' in a such that s' .now < 
s .now + 2i + lTand for each node u such that V(u) < iTu satisfies the conditions (1)L(2) and 
(3) in Definition 7.4rfor membership in Cg F . (Let such a node be called locally stable.) Since 
V(u) < 8 for all nodesrthere must then exist a state s in a such that s.now < s .now + 2(5+1 
and all nodes are locally stableLwhich implies that s G Cg F . 

FirstTlet i = 0. The only nodes u for which V(u) = are those in the set 3>(s ); within 1 
time unitLeach such node will have executed statement [H] of MAXIMIZE-PRIORITY and 
will have set its distance to and will have thus become locally stable. 

For the inductive stepriet there exist a state s' in a such that s' .now < s .now + 2i + IT 
and each node u for which V(u) < i is locally stable. We show that there exists a state s" 
following s' such that s" < s + 2(i + 1) + 1 and each node u such that V(u) < i + 1 is locally 
stable. 

The conditions for local stability imply that in state s'TID u = s .MAXID and distance u = 
V(u) for each node u such that V(u) < i. Consider any node u for which V(u) = i + 1. Let M{u) 
be the set of neighbors w of u for which V(w) = i; s' .ID W = s.MAXID and s' .distance w = i for 
all such w. There must then exist a state s'" following s' in a such that s'" .now < s' .now + 1 and 
(ID UW , distance uw ) = (s .MAXID, i) for all w G Af{u). Since there must exist a MAXIMIZE- 
PRIORITYt, step within time 1 after s"Tthere exists a s" following s'" in a such that s" .now < 
s'" .now + 1 and u is locally stable. Hence the inductive step follows. ■ 



7.2 Self- Stabilization of the Coloring Algorithm 

As was stated in the previous sectionLthe forest structure must be stableLi.e. the state must 
be in Cg F T while the algorithm is operating. Lemma 7.7 guarantees that starting from any 
state in C = La state in Cg F is reached within 2^+1 time. HoweverLwhen a state in Cg F is 
reachedLthe coloring variables may not be in a consistent state — they may be arbitrarily setL 
so the broadcast-echo mechanism may not commence immediately. In this section we show 

78 



that within time 178 + 7rthese variables become consistentLand the coloring algorithm can 
proceed correctly. 

In Definition 7.9rwe define a "coloring predicate" L(m) on individual nodes; if all nodes in 
a tree T r satisfy L(m) and if T r satisfies another predicate LTthe coloring variables in that tree 
are consistent. T r is then said to be "well-coloredF and the state set QT r { LL QT V for "Good 
Tree") is defined as the set of states in Cg F in which T r is well-colored. C^ c is defined as the 
set of states in Cg F in which all trees are well-colored. 

We show that starting from a state s in Cf F Lunless a state in C 1 is reachedrfor any tree T r 
a state in QT r is reached within time 178 + 7 (Lemma 7.65). We do so using the intermediate 
state set AiT r — the set of states in which T r is monocoloredTi.e. all nodes in T r possess the 
same color. Section 7.2.1 shows that any tree must get monocolored within time A8-\-l. Section 
7.2.2 shows that once a tree is monocoloredrit must get well-colored within 13<*> + 6 additional 
time. 

We first define what it means for coloring variables to be "consistent." 
Definition 7.8 (T r , tree(w), leaf, root interval, branch, height, BRANCHEs(T r )) 

• Let r G p(s). A tree rooted at node r is the set 

T r = {u | r is an ancestor of u.} 

• TREE(f )Lthe tree containing node vTis defined as the unique tree containing v. 

• A leaf is a node that is not an ancestor of any other node. 

• A sequence of nodes R = UiU 2 ■ ■ .u k is a root interval of T r if u x = r and parent u = Ui_i 
for every i > 1. 

• A root interval B = UiU 2 ■ ■ .u k is a branch if it terminates in a leaf (i.e.Tu k is a leaf). 

• The height of a treeLwritten HElGHT(T r )Lis the maximal length of a branch in T r . 

79 



• BRANCHEs(T r ) denotes the set of all branches in T r . ■ 

Definition 7.9 (Coloring predicates) Let v = parent u . Then the following coloring predi- 
cates are defined for node u: 

• L1(m): (color u j^ color v ) =>■ (mode u = echo) and (mode v = broadcast). 

• L2(m): mode u = broadcast =>■ 

— mode v = broadcast 

— color u = color v 

— If w G Children^r 

(mode uw = echo and color uw = color u ) =>■ mode w = echo and color w = color u . 

• L3(m): mode u = echo =>■ \/w G Children^, 

— color u = color uw = color w Tand 

— mode uw = mode w = echo. 

• L(u) = Ll(u) AL2(m) AL3(m). 

Definition 7.10 (Well-coloredness) A tree T r is well-colored in state s if it satisfies the 
following conditions: 

1. All nodes u G T r satisfy L(m) in s. 

2. (Predicate L') At most two colors are contained in T r n.e.r 

| M s.color u \ < 2 

u£T T 

Definition 7.11 (QT r ) 

QT r = {s G Cg F | T r is well-colored} 
80 



The following Lemma shows that once a tree is well-coloredrit stays well- colored: 

Lemma 7.12 QT r =>■ QT r \°\. 

Proof. Let (s,a, s') be a step such that s G QT r . Note that the only variables that are 
referenced by the coloring predicates are color U T mode U T and for all v G Children^ Tcolor uv and 
mode uv . We consider each a G ac£s( RSST)Lin turn: 

Case 1 a = COPY ut ,. 

Since u can only copy a color from vVL' must be true in s' . If v j^ parent u and v G - 
Children^Lthe coloring predicates remain unchanged. If v = parent u Tthen [D] may be 
executed. If s. color u ^ s.co/or^Lthen s' .color u = s' .color V T and s' .mode u = s' .mode v = 
broadcast. AlsoLbecause L' holds in sLfor all w G Children^Ls. color w = s. color U Y which 
implies s' .color w ^ s' .color u . Thus Ll(M)LL2(M)Land L3(m) are true in s' . FurtherL 
L2(f) holds in s' . Since s.mode w = s' .mode w = echo for any child w of uTw satisfies L1L 
L2 and L3 in s'. 

If v G Children u LLl(M)LL2(M) and L3(m) continue to hold in s' . 

Case 2 a =MAXIMIZE-PRIORITY u . 

Since s G Cf F Lall variables in s' are identical to those in s. 

Case 3 a =DETECT-TREES„. 

If [K] is executed then s' .mode u = echo. LI and L2 are trivially satisfiedLand L3 is 
satisfied in s' because of the conditions in [J] and the fact that L2 was satisfied in s. 

Case 4 a =NEXT-COLOR u . 

If the test in NEXT-COLOR is trueLu G / o(s)Land L3 implies that all nodes v G tree(m) 
have the same color c in s. Hence L' is satisfied. The coloring predicates can be seen to 
hold. 

81 



Case 5 a =EXTEND-ID U . 

If the test is satisfiedrthen s' £ C 1 . ■ 

Definition 7.13 (C^ c ) 

C wc - K Cfp, I s £ G^r Vr G p(s)} 
Corollary 7.14 C^ c =>- C^ c \e1. 

Proof. This is a direct consequence of Lemma 7.12 and Definition 7.13. ■ 

Once a state is in C^j> c Lthe coloring algorithm can proceed "normally" over all trees in the 
forest. We show that starting from a state in Cf F Lunless a state in C 1 is reachedrwithin time 
176 + 7 each tree becomes well-coloredrso within time 176 + 7 a state in C^ c is reached. Thus 

1 1 1) A-1 1 it, I 1 

we show that C$ F ==£ QT r for all roots rLwhich implies that C$ F ==£ Cwc (this is shown in 
Lemma 7.65). 

Definition 7.15 (Monocolored, bicolored intervals and trees; AiT r ) A tree T r is mono- 
colored in s G Cg F if it contains only one color Li. e. color u = c for some color c and all u G T r . 
(We say that T r is monocolored with color c.) The set AiT r is defined as the set of states in 
Cg F in which T r is monocolored. SimilarlyLa root interval is monocolored if it contains only 
one color. T r is bicolored if it contains two colors (cf. Definition 7.10). ■ 

C C 

The statement Cg F =£ QT r is proved using two main results: Cg F =$- MT r (the "Mono- 
coloring" Result) and MT/Mj 6 £T r (the "Blocking" Result). 

7.2.1 The "Monocoloring" Result 

In this section we establish the first of the two self-stabilization resultsLCf F =/- AiT r . ThusL 
starting from a state in Cg F defining a stable forestLany execution a reaches a state in which 
tree T r is monocoloredLwithin time A6 -\- 1. 

82 



An overview of the proof follows. A coloring epoch of color c for T r is defined as a maximal 
execution fragment contained in a in which the root color color r remains fixed at c; color r 
changes from one epoch to the next. As will be apparent from the code for COPYrif a node 
notices that it has a color different from that of its parentLit copies its parent's color. A root- 
color interval for a branch in T r is the maximal root interval in the branch that has the same 
color as the root. Since children copy their parents' colorrin any coloring epoch the root-color 
interval for any branch can only increase. Thusrin the last state of a coloring epoch 7rthe 
root-color intervals in a tree are of maximal length; the scope of 7 is the depth upto which the 
root color has propagated in epoch 7. Thus in the last state of an epoch 7 rail root intervals 
of length < Scope(7) are colored with the root color. 

Consider any branch B in T r of scope m in some coloring epoch 7 of color c. When the 
root chooses a new color c' and sets its mode to broadcastLthus initiating the next coloring 
epoch 7 Tall its descendants of depth < m are colored c. Because a root must echo before it 
can choose the next colorLall descendants of depth < m-\- 1 must be colored with c' in coloring 
epoch 7'. Thus each coloring epoch has a higher scope than its predecessor (provided that this 
is feasibleri.eTthe scope of its predecessor was not HElGHT(T r )). If a coloring epoch of scope 
HElGHT(T r ) is reachedrthere must exist some state in that epoch in which T r is monocolored. 

A finer analysisrin Lemmas 7.37 - 7.39rshows that if a coloring epoch 7' is of duration 
Arits scope is at least |_AJ higher than that of its predecessor 7 (if feasible). Based on this 
progress propertyrLemma 7.40 shows that the scope of a coloring epoch beginning after time 
fin a must be at least t/2. Thus we concluderin Lemma 7.41Lthat within time 3<*> an epoch 
of scope > HElGHT(T r ) is reachedLand thereforeLin Lemma 7.42Lthat a monocolored state is 
reached in time < 4S + 1. 

Definition 7.16 (Root-color interval) Let s G Cg F ; let T r be a treeLand let B £ BRANCH- 
Es(T r ). The root-color interval of BTdenoted RC(B)Y\s the maximal prefix u . . .u, of B having 
the same color as the root M Li.e.Lfor which color(u) = color (u^) for every u G RC(B). ■ 



83 



Definition 7.17 (Root-color extent) Let B G BRANCHEs(T r ). The root-color extent of BY 
written ExTENTfBlLis defined as: 



EXTENTfi?) 



f . \RC(B)\ rif RC(B) ^ B (i.e.TRC(B) is a proper prefix of B) 
2. HEiGHT(T r )rif RC(B)= B. 



Thus the root-color extent of a branch is the length of the maximal prefix that has the 
same color as the rootT unless the whole branch has the same colorrin which case it is the 
height of the tree. 

Definition 7.18 (Root-color domain) The root-color domain of tree T r T written Dom- 

AiN(r r )r 

DoMAiN(T r ) = min Extent(_B). 

Be branches (T r ) 



Claim 7.19 Let (s,a,s') be a step inCg F . For any root r G p(s)P\p(s'), if s. color r ^ s' '.color y, 
then a = NEXT-COLOR,. 

Proof. From the codeLthe only statements that can change the color of r are [D] of COPY 
and the actions NEXT-COLOR, and EXTEND-ID r . Since parent r = nilL[D] of COPY is not 
executed. If a =EXTEND-ID r and s. color r j^ s'.co/or r Lthen s.ID r -< s'.ID r Land so s' (j£ Cg F . 
Hence the only possibility for a is NEXT-COLOR,,. ■ 

Definition 7.20 (Coloring epochs) Let a be an execution fragment in Cg F . A coloring 
epoch for tree T r is a maximal execution fragment 7 contained in a such that color r remains 
constant in 7. Let Color(7) denote the color of epoch 7Li.e. s. color r for any s G 7. ■ 

Observation 7.21 From Claim 7.I9Lfor any tree T r Lany execution a in Cg F contains coloring 
epochs 71L72L73L . . for T r Lsuch that a = 7i«7 2 a 73 a • • Twhere a = NEXT-COLOR,,. 

84 



Claim 7.22 Ifji and j i+1 are successive coloring epochs in some execution a then 



• 



Color(7 8 ) = =>- Color(7 j+1 ) 7^ 



• Color(7 8 ) 7^ =>- Color(7 j+1 ) = 



Proof. Follows from the code for NEXT-COLORrNew-Color() and Reset-Color(). ■ 

Definition 7.23 (Scope) Let 7 be a coloring epoch for T r . The scope of a coloring epoch 7 

for T r is 

Scope(7) = maxs.DoMAiN(T r ) 

v ' sG7 v ' 

The scope of 7 for a branch B in T r is defined similarly: 

Scope b (7) = maxs.ExTENT(_B) 



Lemma 7.24 Let u G - p(s) and let a be an execution fragment in Cg F starting with s. In 
any step (V,a,s") in a such that s" .color u 7= s' .color u , s" .color u = s' .color parentu , s".mode u = 
broadcast, and for all v G Children^, s" .color uv = undefined. 

Proof. From the codeLa must be COPY^Land [D] must be executed. ■ 

Lemma 7.25 In any step (s,a, s') in some coloring epoch 7 for T r , s. color u = s' .color u for 
any u G s.RC(B), where B G BRANCHEs(T r ). 

Proof. By induction on the depth of u in T r . Let s.RC(B) = u x . . .Ui. Since s,s' G 7L 
s. color Ul = s' .color Ul . Suppose s.color Uk = s' .color Uk for some u k G u x . . .Ui_i. Since u k+ i G 
RC(B)Ys. color u = s.color Uk . If s' .color Uk+1 7= s.color Uk+1 Lthen by Lemma 7.24 s 1 .color Uk+1 = 
s. color Uk T which is a contradiction since s.color Uk+1 = s. color Uk . ■ 

85 



Corollary 7.26 Let 7 be a coloring epoch. If (s,a, s') is a step in 7, for any branch B G 
BRANCHEs(T r ), s.RC(B) is a prefix of s'.RC(B). 

Proof. Let B G BRANCHEs(T r ). From Lemma 7.25Lfor every u G RC(B)T s 1 .color u = 
s. color u = s. color r . Hence the Corollary follows. ■ 

Corollary 7.27 In any coloring epoch 7, Domain (T r ) cannot decrease. 

Proof. Immediate from Definition 7.17 (ExTENT)LDefinition 7.18 (DoMAlN)Land Corollary 
7.26. ■ 

Lemma 7.28 Let a be an execution fragment contained in some coloring epoch for T r . Let t = 
(Istate(a).now — fstate(a).now). Then lstate(a).T)OMAlN(T r ) > min((/state(a).DoMAlN(r r ) + 
L^J),HEIGHT(T r )). 

Proof. We show that for any B G BRANCHEs(r r )L/state(a).ExTENT(i?) > min(/state(a).ExTENT(i?) 
+ |_£_|LHElGHT(T r )). The Lemma then follows from the definition of DoMAlN(T r ) (Definition 

7.18). 

Consider any branch B = u x ■ ■ -U\ in T r Land an execution fragment a = s aiSia 2 ■ ■ ■ a k s k 
contained in some coloring epoch 7 of color c for T r . Let t = s k .now — s .no«?Land let t' = [t\ . 
Let R = s .RC(B) = ui . . .u,. 

We show that if / > i + i'Li.e.Lthe length of branch B is at least i + i'Lthen u x ■ ■ ■ u i+t i is 
a prefix of s k .RC(B). OtheiwiseT s k .RC(B) = B. 

If f = OLthen Corollary 7.26 implies that u x . . .it; is a prefix of s k .RC(B). 

If t' > lLand if / > i + lLthen there must exist a step (s, COPY Ui Ui , s') in a such that 
s' .now < s .now + 1. Corollary 7.26 implies that s.color Ut = c; hence s' .color Ui = cL and 
Ui . . .u i+ i is a prefix of s'.RC(B) and s k .RC(B). 

86 



If t" > 2 and / > i + 2rthen there must exist a step (s", COPY Ui Ui , s'") in a such that 
s'" '.now < s .now + 2 and s" follows s' in a. AgainrCorollary 7.26 implies that s". color Ui = c; 
therefore u x ■ ■ .u i+2 is a prefix of s".RC(B). 

The Lemma follows by proceeding inductively as above. ■ 

Lemma 7.29 Let u, v £ T r , and let parent u = v. Let (s ,COPY u „,Si) be a step in which 
s .color u j^ Si.color u , and let a = s aiSia 2 . . . be an execution fragment starting with this step, 
contained in some coloring epoch for T r . Let w be a child of u. If there exists s, £ a (i ^ 0) 
such that Si.mode u = echo, then there exists s' between s and s, such that s' .color u = s' .color w . 

Proof. From the codePstatement [D] in COPY ut , must have been executed in the first stepr 
so from the code for Reset-ColorQrs!. mode u = broadcastTand s±. color uw = undefined. 

Since Si.mode u = echor there must exist a step (V,a,s") between Si and s, such that 
s' .mode u = broadcast and s" .mode u = echo. From the coder the only possibility for a is 
DETECT-TREESt,. From statement [J] Tit follows that s' .mode uw = echo and s' .color uw = 
s' .color u . Since s' .color w = s' .color uw Ts' .color u = s' .color w . ■ 

Let var be one of the state components for a node (e.g. modeT color) Tand let value be one 
of the corresponding values that can be assumed by the state components (e.g. "broadcastF 
for the mode component). Henceforthrto ease the notationrthe expression var(uiu 2 ■ ■ .u k ) = 
value will be used to denote the relation var Ul = var U2 = . . . = var Uk = value. 

Definition 7.30 (Broadcast and echo intervals) Let R = UiU 2 ...u k be a root interval. 
Thenr 

• R is a broadcast interval if mode(uiU 2 . . .u k ) = broadcastTand L(m) is true for all u in 
R. (Note that the conditions of L imply that for such an intervair color(uiU 2 . . .u k ) = 
some color cPand for each Uj in u x u 2 . . .u k _iT^(mode UjUj+1 = echo and color UjUj = c).) 
A broadcast interval of color c is a broadcast interval in which every node has color c 
(color u = c). 

87 



• R is an echo interval if mode(uiU 2 ■ ■ .u k ) = echoFand L(m) is true for all u in R. (Note 
that the conditions of L imply that for such an intervair color(uiU 2 ■ ■ .u k ) = some color 
crand for each Uj in u x u 2 . . .u k T (mode UjUj+1 = echo and color UjUj+1 = c).) An echo 
interval of color c is an echo interval in which every node has color c. ■ 

Lemma 7.31 Let R = u x u 2 ■ ■ -u k be a a broadcast interval of color c in s, and let a be an 
execution fragment in Cg F starting with s. If there exists s' in a such that s' .color u ^ s.color u 
for some u £ R, then there exists s" before s' in a such that R is an echo interval of color c 
in a. 

Proof. The coloring epoch containing s' must be different from that containing s. A new col- 
oring epoch for R can only begin after a state Si in which Si.mode Ul = echo. From the code for 
DETECT-TREEST^! must follow a state s 2 such that s 2 .mode UlU2 = echo and s 2 .color UlU2 = c. 
AlsoT s 2 .mode U2 = echo and s 2 . color U2 = c. Thus u x satisfies L(m). Proceeding inductivelyT^ 
must follow some state s k in which s k .mode Uh _ lUh = s k .mode Uk = echorand s k . color Uk _ lUk = 
s k . color Uh = c. Hence R is an echo interval of color c in Si. ■ 

Lemma 7.32 Let 7 be a coloring epoch for T r , and let s be a state in 7 such that in a branch 
B = UiU 2 . . .u k of T r , there exist i,j such that u x . . .Ui is a broadcast interval of color c, and 
color(u i+ i . . .Uj) = c' 7^ c. (Such an interval u x . . .Uj is called properly bicolored.^) Then, 

• There exists s' following s in 7 such that u x ■ ■ ■ Uj is a broadcast interval of color c, and 
(therefore) 

• Scope b (7) >j. 

Proof. Ui . . .Ui is a broadcast interval of color c in state s. In any execution fragment a 
beginning with sFa new coloring epoch 7' can only begin after a state Si such that Sx-mode ul = 
echo (from the code for NEXT-COFOR). But since s.mode ul = broadcast and ~L2(ui) holds 
in sr Si must follow some state s 2 in which color U2 = c and mode U2 = echo. Continuing 

88 



inductivelyl 1 ^ must follow some state s J+1 in which color u = c and mode Ut+1 = echo. But 
s i+ i must follow some step (^ +1 ,C0PY Ui+lMi ,5" +1 ) in which m j+1 "copies" color c from uf, 
Ui . . .u i+ i is a broadcast interval of color c in s" +1 . Proceeding inductivelyrthere must exist s' 
in which u x ■ ■ ■ Uj is a broadcast interval of color c. ■ 

Claim 7.33 Any prefix of a monocolored root interval is monocolored, and a prefix of a properly 
bicolored interval is monocolored or properly bicolored. 

Proof. Follows from the definitions. ■ 

Claim 7.34 Let R = u x u 2 ■ ■ ■ u k be a root interval in T r . Let 7 be a coloring epoch for T r , and 
let s G 7. Then, 

1. If R is monocolored in s, it is monocolored for all s' following s in 7. 

2. If R is properly bicolored (cf. Lemma 7.32) in s, it is monocolored or properly bicolored 
for all s' following s in 7. 

Proof. Follows from Lemma 7.24 and Corollary 7.26. ■ 

Corollary 7.35 Let 7 1 «7 2 be an execution fragment in Cg F such that ^j l and 7 2 are coloring 
epochs for T r of colors c x and c 2 respectively. Let Scope(7 1 ) = m. Then for any root interval 
R = Ui . . . u m in T r of length m, there exists s G 7 2 such that u x ■ ■ ■ u m is a broadcast interval 
of color c 2 . 

Proof. Note that in fstate(j 2 )Tui . . .u m is properly bicolored. The Corollary then follows 
from Lemma 7.32. ■ 

Lemma 7.36 Let "fiaj 2 aj 3 be an execution fragment in Cg F such that 7 1; 7 2 and 7 3 are 
coloring epochs for T r . Then Scope(7 2 ) > min( Scope(7 1 ) + 1, Height(T,,)). 

89 



Proof. Let ~j l and 7 2 be of colors C\ and c 2 respectively. Let Scope(7 1 ) = to; note that 
HElGHT(T r ) > to. Let B = Ui . . .u k be a branch in T r of height > mLand let R = u x ■ ■ .u m 
be a prefix of B. 

From Corollary 7.35Lthere exists a s G 7 2 such that R is a broadcast interval of color 
c 2 . If k = mT then Scope b (7 2 ) = HElGHT(T r ). If k > mT then s.color Um+1 = c x or 
c 2 . If s.color Um+1 = CiLthen u x ...w m+1 is a properly bicolored intervalLso by Lemma 7.32 
Scope b (7 2 ) > m + 1. If s.color Um+1 = c 2 Lthen Scope b (7 2 ) > m + 1 by definition. ■ 

Lemma 7.37 Let ~li(i~i 2 be an execution fragment in Cg F such that ^j l and 7 2 are coloring 
epochs for T r , and let Scope(7 1 ) = m. 

For any integer i, if (lstate(j 2 ).now — fstate(j 2 ).now) > i, then for any root interval R = 
Ui . . .u k of length < (m + i), there exists a state s G 7 2 such that s.now < fstate(j 2 ).now + i, 
and R is either monocolored or properly bicolored in s. 

Proof. By induction on i. 

Base (i = 0): ClearlyLin fstate(j 2 )T any interval Ui...u k of length < m is monocolored if 
k = lLand is properly bicolored if k > 1. 

Now suppose the Lemma holds for i. We need to show that it must hold for i + 1. 

Consider any root interval R = u x ■ ■ .U( m+i+ iy Since the Lemma holds for iLthere exists 
a state s G 7 2 such that s.now < fstate(j 2 ).now + iLand u x ■ ■ -u m+i is either monocolored or 
properly bicolored in s. There must exist a step (si,COPY u u ,s 2 ) in 7 2 Lsuch that Si 

follows sLand (si.now < s.now + 1). Thus s 2 .now < (fstate(j 2 ).now + i + 1). Consider the 
two cases: 

Case 1 Ui . . .u m+i is monocolored in s. 

ThenLby Claim 7.34LM! . . .u m+i must be monocolored in SiLand therefore it must be 
monocolored in s 2 . Hence the Lemma follows. 

90 



Case 2 Ui . . .u m+i is properly bicolored in s. 

Then by Claim 7.34LM! . . .u m+i is either monocolored or properly bicolored in Si. If 
Ui . . .u m+i is monocolored in SiTui . . . tt( m+i+1 ) must be monocolored in s 2 . If u x ■ ■ -u m+i 
is properly bicolored in SiTui . . . tt( m+i+1 ) must be properly bicolored in s 2 . Hence the 
Lemma follows. 



Corollary 7.38 Let 7 1 «7 2 be an execution fragment in Cg F such that ^j l and 7 2 are coloring 
epochs for T r , and let Scope(7 1 ) = m. 

For any integer i, if (lstate(j 2 ).now — fstate(j 2 ).now) > i, there exists a state s G 7 2 such 
that s.now < fstate(j 2 ).now + i, such that every root interval of length < (m + i) is either 
monocolored or properly bicolored in s. 

Proof. Follows from Lemma 7.37 and Claim 7.34. ■ 

Lemma 7.39 Let ~i x a^ 2 be an execution fragment in Cg F such that ^j l and 7 2 are coloring 
epochs for T r , and let Scope(7 1 ) = m. Let A = (lstate(j 2 ).now — fstate(j 2 ).now). Then 

Scope(7 2 ) > min( (Scope(7 1 ) + |_AJ) , Height(T,.) ). 

Proof. Let A' = |_AJ . From Lemma 7.38Lthere exists a state s in 7 2 such that (s.now — 
fstate("f 2 ).now) < A'Land every root interval of length < m + A' is either monocolored or 
properly bicolored in s. Hence by Lemma 7.32LScope b (7 2 ) > min(m + A', HElGHT(T r )) for 
every branch B. Hence Scope(7 2 ) > min(m + A', HElGHT(T r )). ■ 

Lemma 7.40 Let a = j 1 aj 2 aj 3 . . .be an execution in Cg F , where 7 1; j 2 > Is,- ■ - are coloring 
epochs for tree T r . Then for any coloring epoch 7, 

Scope(7) > min( fstate(j). now/2 , Height(T,,) ) 

91 



Proof. By induction on 7. 

ClearlyrScoPE(7 1 ) > 0. 

Now suppose the Lemma holds for 7 8 Ti.e. Scope(7 8 ) > min( fstatedi)- now/2 , HElGHT(T r ) 
If Scope(7 8 ) = HElGHT(T r )rthen Lemma 7.36 implies Scope(7 j+1 ) = HElGHT(T r )Lwhich sat- 
isfies the Lemma. If Scope^-) < HElGHT(T r )Lthen by the inductive hypothesisLScoPE^) > 
fstate(~f i ).now/2. We show that Scope(7 j+1 ) > fstate(j i+1 ). now /2T which would satisfy the 
Lemma. Consider the two cases: 

Case 1 (fstated i + i) -now — f stated i) -now) < 1. 

Then Lemma 7.36 yields 

SC0PE( 7i+1 ) > SC0PE( 7i )+l 

> fstated ^. now j 2 + 1 (by the inductive hyp.) 
= (f state(j i). now + 2 )/ 2 

> fstate(~j i+l ) .now J 2 

Case 2 (fstated i+1 ). now — J 'statedi)- now) > 1. 

Then by Lemma 7.39L 

ScoPE(7 i+1 ) > Scope(7 8 .) + lfstate(~f i+1 ). now - fstate(~f i ).now\ 

> f stated i) -now / 2 + [fstated i+\) -now — fstated i) -now \ 

(by the inductive hypothesis) 

> f stated i) -now J 2 + (fstated i+\) -now — f stated t ) .now) / 2 

(since x > 1 implies [^J > x/2) 

= f state di+i)- now J 2 



Lemma 7.41 Let a = 7 1 «72«73 • • • be an execution fragment in Cg F , where 7^ 72, 73,. . . are 
coloring epochs for T r . There exists an epoch j i in a such that f stated i) -now — 3HElGHT(T r ), 
and Scope(7 8 ) = Height(T,,). 

92 



Proof. If there exists an epoch 7,- in a such that 3HElGHT(T r ) > fstate (7,). now > 2HElGHT(T r )L 
then by Lemma 7.40 Scope(7 8 ) = HElGHT(T r ). If there is no such epoch 7 8 Lthen there must 
exist an epoch j i such that fstate (7,). now < 2HElGHT(T r ) and lstate(^ 8 -) .now > 3HElGHT(T r ). 
Since \lstate(^j t ) .now — /state (7 8 ).nowJ > HElGHT(T r )rLemma 7.39 implies that Scope(7 8 ) = 
Height(TA ■ 



Lemma 7.42 Cf>^ MT r W G p. 



Proof. Let s G Cg F . Let a be any execution fragment in Cg F beginning with sLfor which 
(Istate(a).now — fstate(a).now) > 4S + 1. Let a = 7 1 «72«73 • • .Lwhere 71L72L73L . . are color- 
ing epochs. By Lemma 7.41Lthere exists an epoch j i such that fstate(~f ;•) .now < 3HElGHT(T r ) 
and Scope(7 8 ) = Height(T,,). 

If Lstateij^.now < 4HElGHT(T r )Lthen since Scope^-) = HElGHT(T r )Lthere exists a state 
s' = Istateijj) such that s' .now < 4HElGHT(T r ) + 1 and s' G MT r . 

If Lstateij^.now > 4HElGHT(T r )Lthen since fstateij^.now < 3HElGHT(T r )LLemma 7.28 
implies that for any state s' in 7,- such that 4HElGHT(T r ) < s' .now < (4HElGHT(T r ) + 1)L 
s'.DoMAiN(T r ) = HEiGHT(T r )Lwhich implies that s' G MT r . 

Since HElGHT(T r ) < <*>Lthe Lemma follows. ■ 

7.2.2 The "Blocking" Result 

In this section we establish the second of the two self-stabilization resultsL MT r =£ QT r . 
ThusLstarting from a state in Cg F in which T r is monocoloredLany execution reaches a state 
in which tree T r is well-coloredLwithin time 13<*> + 6. 

If a tree T r is monocolored with some color c in some state sLit stays monocolored until the 
root chooses a new color c'. When the new color c' is propagated to all nodes in the tree (as it 
must beLfrom Lemma 7.36)Lthe tree becomes well- coloredL since in the process of copying a 
new color from its parent a node resets its own coloring variables (through Reset- Color u ). We 
showLin Lemma 7.62Lthat within 12(5 + 6 time the root must choose a new color. 

93 



In order to choose a new colorrthe root must first set its mode to echo (from the code)r 
which requires that all its children echo. A node u could be prevented from echoing because it 
may be blocked by its neighbors — if its color is non-zerorit needs to notice a non-zero color at 
each of its neighbors (i.e.Tnbr-color uv ^ undefined) Land it needs to notice that all neighbors 
have observed its color (self-color uv = color u ). Theorem 7.60 shows that a node can be blocked 
for at most 10<*> + 5 timeLwhich implies that an "echo wave" must reach the root and cause it 
to choose a new color within 12# + 6 time. 

Definition 7.43 (Waiting) A node u waits in state s G Cg F if it is in a broadcast interval 
(cf. Definition 7.30). It waits with color c if it is waiting in s and s. color u = c. ■ 

Definition 7.44 (Waiting epoch) Let a be an execution fragment in Cg F . A waiting epoch 
oj for u is a maximal fragment contained in a such that u waits in each state of uj and color u 
remains constant in uj. A waiting epoch of color c is a waiting epoch in which u waits with 
color c. ■ 

Definition 7.45 (Blocking, enabling) Let u be waiting in s with color c / d and let 
v G Nbrs(u). ThenL 

• u is blocked by v on self-color in s if s.self-color uv ^ color u . OtherwiseLM is enabled by v 
on self-color. 

• u is blocked by v on nbr- color in s if s.nbr-color uv = undefined. OtherwiseLM is enabled 
by v on nbr-color. 

• u is blocked by v in s if it is blocked by v on self-color or nbr-color. 

• u is enabled by v in s if it is enabled by v on both self-color and nbr-color. ■ 

Definition 7.46 (Recoloring) A node u is recoloredm a step (s,a,s r ) if s. color u ^ s' .color u . 



94 



Lemma 7.47 Let r £ p(s), and let a be an execution fragment in Cg F starting with s. If 
s.mode r = broadcast, and if there exists s' £ a such that s' color r ^ s. color r , then there exists 
a state s" preceding s' in a such that s" .color r = s. color r and s" .mode r = echo. 

Proof. Let (si,a, s 2 ) be the first step in a such that Si.color r j^ s 2 .color r ; there must exist 
such a step between s and s' in a. From the coder a can only be NEXT-COLOR,,. Since 
Si.color r = s. color r T and since Si.mode r = echo from the condition in NEXT-COLOR r Lthe 
Lemma follows. ■ 

Claim 7.48 In any step (s,a, s') in Cg F such that s.mode u = broadcast and s' .mode u = echo, 
u is enabled by all v £ Nbrs(u) in s. 

Proof. Follows since a can only be DETECT-TREES U and the conditions in [J] must be 
satisfied. ■ 

Lemma 7.49 Let u be waiting in s, and let a be any execution fragment in Cg F starting with 
s. If there exists a step (s',a,s") in a in which u is recolored, then there must exist a state Si 
between s and s" in a such that u is enabled by all v £ Nbrs(u) in s±. 

Proof. Since u is waiting in sr there exists a broadcast interval R = UiU 2 . . .u in s. From 
Lemma 7.3irthere exists s 2 between s and s" such that R is an echo interval in s 2 . Since 
s 2 .mode u = echorthe Lemma follows from Claim 7.48. ■ 

Lemma 7.50 Let uj be a waiting epoch for u of color c. In any state s £ lo such that (s.now > 
fstate(uj) .now + 2), u is enabled by all v £ Nbrs(u) on self-color. 

Proof. Let uj be a waiting epoch of color c. For any v £ M>rs(M)rthere must exist a step 
(si,COPY„ u ,s 2 ) in uj such that Si.now = s 2 .now < fstate(uj).now + 1. Since Si.color u = cT 
s 2 .color vu = c. There must exist another step (s 3 ,COPY u „, s 4 ) following s 2 in uj such that 
s 3 .now = s A .now < s 2 .now + 1. Since s 3 .color vu = d s A .self-color uv = c. Hence u is enabled 
by v on self-color in s 4 . Furtherrfor all states s following s 4 in uj u must remain enabled by v 
on self-color. Hence the Lemma follows. ■ 

95 



Lemma 7.51 Let a be an execution fragment of duration > 1 contained in a waiting epoch 
for u. If u is blocked by v on nbr-color in Istate(a), then Istate(a). color uv = 0. 

Proof. Consider the last step (s,a, s') in a such that a = COPY u „. Since lstate(a).nbr- 
color uv = undefined T and COPY u „ is the only action that can change nbr-color uv between s' 
and lstate(a)Y\t follows that s' .nbr-color uv = undefined. Since statement [C] must have been 
executed in the COPY u „ stepTs' .color v = Ofand therefore s' .color uv = = Istate(a). color uv . 



Lemma 7.52 Let uj be a waiting epoch for u. If u is enabled by v on nbr-color in some s £ uj, 
u is enabled by v on nbr-color for all s' following s in uj. 

Proof. From the codeLMf s.nbr-color uv ^ undefinedTthe only code that can change s.nbr- 
color uv to undefined is the call to Reset-ColorQT which can be made either through [D] of 
COPY ut , or through NEXT-COLOR,, or EXTEND-IL\. Since lo is a waiting epoch for wLnone 
of these possibilities is feasible. ■ 

Lemma 7.53 Let s be a state in Cg F in which u is blocked by v on nbr-color, s.color uv = 
or undefined, and v is blocked by u on self-color. Let a be any execution fragment in Cg F 
beginning with s. Then if there exists s' £ a such that v is enabled by u on self-color, there 
exists s" before s' in a such that u is enabled by v on nbr-color. 

Proof. s.color uv = or undefinedr s.self-color vu ^ s.color v T&nd s' .self-color vu = s' .color v . 
From Lemma 7.49rit is possible to choose an s' in a satisfying the given conditions such that 
s' .color v = s.color v . Since s.self-color vu ^ s.color v and s 1 .self-color vu = s.co/or„rthere must 
exist a step (5 1 ,COPY„„,s 2 ) between s and s' in a such that Si.self-color vu ^ s.color v and 
s 2 .self-color vu = s.color v . Hence Si.color uv = s.color v ^ 0. Since s.color uv = or undefinedr 
and Si.color uv > Or there must exist a step (s 3 ,COPY M „,s 4 ) between s and Si such that 
s 3 .color uv = or undefined and s A .color uv > 0. Since s 3 .color v ^ OFstatement [C] in COPY u „ 
sets s A .nbr-color uv = s 3 .color v ^ undefined. Thus u is enabled by v on nbr-color in s 4 . ■ 

96 



Lemma 7.54 Let s be a state in Cg F in which u is blocked by v on nbr-color, s. color uv = 
or undefined, and v is blocked by u on self-color. Then in any execution fragment a in Cg F 
beginning with s, there exists s' following s in a such that s' .now < s.now + 1 and u is enabled 
by v on nbr-color. 

Proof. There exist two exhaustive possibilities: 

Case 1 There exists s' following sin a such that s' .now < s.now + 1 and v is enabled by u 
on self-color. 

Then from Lemma 7.53rthere exists s" before s' in a such that u is enabled by v on 
nbr-colorT and the Lemma follows. 

Case 2 There exists no s' following sin a such that s' .now < s.now + 1 and v is enabled by 
u on self-color. 

There must exist a step (si, COPY u „,s 2 ) i n a such that Si.now < s.now + 1. Since v 
is not enabled by u between s and SiTsi.color v = s.color v > 0. From statement [C] in 
COPY uv Ts 2 .nbr-color uv = Si.color v > 0; hence the Lemma follows. ■ 

Lemma 7.55 Let (s,a, s') be a step in Cg F in which s' .color u ^ s. color u . Then u is blocked 
by all v G Nbrs(u) in s' . 

Proof. Follows since a must have called Reset-Color. ■ 

Lemma 7.56 Let T r be monocolored with color in s. In any execution fragment in Cg F of 
duration > 26 beginning with s, there exists a state Si in which mode r = echo. 

Proof. From the code in statement [J] in DETECT-TREESTnodes with color do not "wait" 
for neighbors to enable them before echoing; a node u with color echoes as soon as it notices 
that all its children are echoing. Thus the root must echo within time 28. ■ 

97 



Lemma 7.57 Let tree(m) be monocolored with color in s £ Cg F . For any execution frag- 
ment a in Cg F beginning with s, there exists s' following s in a such that s' .now < s.now + 46, 
u waits in s' , and u is blocked by all neighbors v £ Nbrs(u) in s' . 

Proof. By Lemma 7.56rwithin time 26 in a a state is reached in which mode r = echo. Thus 
within time 26 + ITr must choose a new color (through NEXT-COLOR^,). Within 6 additional 
timeLM must be recolored with this new color. The Lemma follows from Lemma 7.55. ■ 

Lemma 7.58 Let tree(m) be monocolored with a color ^ in s, and let a be an execution 
fragment in Cg F beginning with s. If there exists a state s' following s in a such that s' .now < 
s.now + 1 and s' .color u = 0, then there exists a state s" following s in a such that s" < s + 1 + 2^ 
and tree(m) is monocolored with color in s" . 

Proof. Let T r = tree(m). Since non-root nodes can only copy new colors from their parentsL 
the coloring epoch 7' containing s' is different from the epoch 7 containing s. Since T r is mono- 
colored in sLScope(7) = Height(T,,). Hence from Lemma 7.36LScope(7') = Height(T,,). 
Since 7' is of color OLthere exists a state s" in 7' such that T r is monocolored with color 0. 
Since s' .color u = OLand each child copies its parent's color within time 2Lsuch a state s" exists 
for which s" '.now < s' .now + 26. ■ 

Lemma 7.59 Let u be blocked by v on nbr-color in s, and let a be a fragment starting with s 
that is contained in some waiting epoch for u. If there exists an execution fragment a-y in a 
such that (Istate(a).now — fstate(a).now > 1) and s' .color v ^ for every s' £ «i, then u is 
enabled by v on nbr-color in Istate(ai) . 

Proof. There must exist a step (si, COPY u „,s 2 ) i n a i- Since Si.color v > 0L[C] in the code 
for COPY u „ sets s 2 .nbr-color uv = Si.color v > OLand so u is enabled by v on nbr-color in s 2 . 
The Lemma then follows from Lemma 7.52. ■ 



98 



Theorem 7.60 Let a be an execution fragment inCg F , and letuj be a waiting epoch of duration 
> (108 + 5) contained in a. In any s' G oj such that s' .now > fstate(uj).now + (108 + 5), u is 
enabled by all v £ Nbrs(u) on nbr-color. 

Proof. Let s = fstate(u)T and let u be blocked by some neighbor v on nbr-color in s. Let Si 
be a state in uj such that (s.now + 1 < Si.now < s.now + 2). If u is blocked by v on nbr-color 
in SiLthen by Lemma 7.51 s±. color uv = 0. By Lemma 7.42Lthere exists s 2 following Si in a 
such that s 2 .now < (si.now +4^ + 1) and tree(v) is monocolored in s 2 . If u is blocked by 
v on nbr-color in s 2 Lby Lemma 7.51 s 2 .color uv = 0. Note that s 2 .now < s.now + (48 + 3). 
Consider the two cases: 

Case 1 TREE(f) is monocolored with color in s 2 . 

By Lemma 7.57Lthere exists s 3 following s 2 in a such that s 3 .now < s 2 .now + 48 and v 
is blocked by u in s 3 . If u is blocked by v on nbr-color in s 3 LLemma 7.51 implies that 
s 3 .color uv = 0. Then by Lemma 7.54Lthere exists s 4 following s 3 in a such that s A .now < 
s 3 .now + 1 and u is enabled by v on nbr-color. Note that (si.now < s.now + (4^ + 3) 
+4<5 + 1) = (s.now+ 88 + 4). 

Case 2 TREE(f) is monocolored with some color ^ in s 2 . 

Then there must exist a step (s 3 , COPYut,, s 4 ) such that s 3 follows s 2 in a and s 3 .now < 
s 2 .now + 1. If s 3 . color v ^ OTu is enabled by f in s 4 on nbr-color. (Note that s A .now < 
s. now + (48 + 3) + 1 = s.now + 48 + 4.) If s 3 . color v = OLby Lemma 7.58 there exists a state 
s 4 following s 2 in a such that (si.now < s 2 .now +1 + 28) and TREE(f) is monocolored 
with color in s 4 . We now proceed as in Case 1 and conclude that there exists s 5 following 
s 4 in a such that (s 5 .now < s A .now + (48 + 1)) and u is enabled by v on nbr-color in s 5 . 
Note that s 5 .now < (s 2 .now + 6<*> + 2) < (s.now + 10^ + 5). 

By Lemma 7.52Lm is enabled by v on nbr-color for all s' following s in uj such that s' .now > 
(f state (u). now + 108 + 5). ■ 

99 



Lemma 7.61 Let a be an execution fragment in Cg F , and let uj be a waiting epoch of duration 
> (108 + 5) contained in a. In any s' £ uj such that s' .now > fstate(uj).now + (108 + 5), 
(s 1 .self-color uv = col or u ) and (s 1 .nbr-color uv ^ undefined). 

Proof. Follows from Definition 7.45rLemma 7.50rand Theorem 7.60. ■ 

Lemma 7.62 Let s G AiT r . In any execution fragment a in Cg F of duration > 128 + 6 
beginning with s, there exists a step (V, NEXT-COLOR,,, s") in a such that (V .now < s.now + 
128 + 6), s 1 .color r ^ s" .color r , and s' G AiT r . 

Proof. This is a consequence of Lemma 7.61 and the fact that a node enabled by all its 
neighbors echoes at most 2 time units after all its children have echoed. ■ 

Lemma 7.63 Let (s, a, s') be a step in Cg F such that s G AiT r and s' .color r ^ s. color r . Then 
in any execution fragment a in Cg F of duration > 8 beginning with (s,a,s'), there exists s" in 
a such that s" .now < s.now + 8 and s" G QT r . 

Proof. Let c' = s'.color r . Each branch B G BRANCHEs(T r ) is properly bicolored in s'Land 
thus by Lemma 7.32Lfor each branch B there exists a state s B such that B is a broadcast 
interval of color c'. State s B must be reached within time 8 (since color c' can take upto 8 time 
to propagate); any state following the latest such s B in a must be in QT r . ■ 

Lemma 7.64 MT/Mj 6 QT r . 

Proof. Follows from Lemmas 7.62 and 7.63. ■ 



7.2.3 Self-stabilization of the Coloring Algorithm: Main Result 

Lemma 7.65 Cg F =£ C^ c . 

100 



Proof. For all r £ <J>Lfrom Lemma 7.42 Cg F =$- A4 T r Tand from Lemma 7.G4TA4T r =£ QT r . 
Hence for all rTCg F => QT r . Since QT r =^> QT r ^\ by Lemma 7.12Lthe Lemma follows. ■ 



Lemma 7.66 (Main coloring self-stabilization result) C~ => C 



96+8 ( 

wc- 



20 + 1 170 + 7 

Proof. From Lemma 7.7LC~=/- Cg F . From Lemma 7.65LC^ F ==£ C^ c . Thus the Lemma 
follows. ■ 



7.3 Tree Detection 

From Lemma 7.66Lstarting from any state in C = Lwithin time 19<*>+8Lunress a state in C 1 is 
reachedLa state in C^ c is reachedL which implies that all trees are well-colored. Thus the 
coloring algorithm can proceed "normally." 

In this section we show that the coloring algorithm achieves its goal of detecting the exis- 
tence of multiple trees with the same root IDLby showing that C^ c — ► C 1 . 

Definition 7.67 (Neighboring trees) Trees T r andT r i are said to be neighbors if there exist 
u £ T r and v £ T r < such that v £ Nbrs(u). 

Let a be any execution starting with a state in C^j> c Land let a 1 be the maximal prefix of 
a that is in C^> c Lif a is finiteLor a itselfTif it is infinite. Let T and T be neighboring trees. 
From Observation 7.2 IT a' can be partitioned into coloring epochs j i for T and 7 f i for T such 
that a' = 7 1 a7 2 «7 3 . . . = 7i«7 2 a 73 • • •• 

Definition 7.68 (7^ notices 7) Let T and T be neighboring trees. Let j i and 7 • be coloring 
epochs for T and T respectivelyLand let Color(7 8 ), Color(t") 7^ 0. ThenLin execution aTj i 
notices 7 • if there exists a step (s,C0PY u „,s') in ot such that u £ TTv £ TTv £ Nbrs(u)T and: 

1. s Gt.Ts £ 7,.; 

101 



2. s.color u = CoLOR.(7j)rs. color v = Color(7-); 

3. s.mode u = broadcast. 

If these conditions holdrwe also say that j i notices 7- in step (s,COPY„„, s'). ■ 

Definition 7.69 (7^ confronts 7) j i confronts 7- if 7^ notices 7- and Color(7 8 ) 7^ Color(t"- 

Lemma 7.70 Any coloring epoch 7 for a tree T r has duration < 13S + 6. 

Proof. If fstate(j) g - A^TrTthen because a new color propagates within one time unit from 
a parent to its childr there exists a state s £ 7 such that s.now < fstate(j).now + S and 
s £ AiT r . From Lemma 7.62rthere exists a step (V, NEXT-COLOR,,, s") such that s' .now < 
s.now + 12(5 + 6 and s' .color r ^ s" .color r . Thus s" begins a new coloring epoch. The Lemma 
follows from the fact that s" .now < fstate(j).now + 13<*> + 6. ■ 

Lemma 7.71 Any coloring epoch 7 of color for a tree T r has duration < 3<*> + 2. 

Proof. Similar to that of Lemma 7.70Lwith the exception that from statement [J]La node 
colored does not need to be enabled by its neighbors in order to echo. ■ 

Lemma 7.72 if 7,- confronts 7-, there exists s' following fstate^^) in a such that s' £ C 1 and 
s' .now < fstate(~j t) .now + (13<*> + 6). 

Proof. If 7 8 - confronts 7 Tsome node in T must set other-trees to true in 7 within time 11<*) + 5L 
since all nodes in T cannot remain broadcasting for more than time 11# + 5. By time 13<*> + 5L 
the root of T must set other-trees to trueLand by time 13<*> + 6Lit must extend its ID by 
executing EXTEND-ID„Lthus reaching a state in C 1 . ■ 

Lemma 7.73 There exists i < 3 such that j i notices 7- for some j . 

Proof. Consider the following possibilities: 

102 



Case 1 Color(7 1 ) = 0. 

Then by Claim 7.22 Color(7 2 ) 7= 0. There must then exist a step (s,a, s') in 7 2 such 
that s. color u = OTs' .color u = Color(j 2 )T s' .mode u = broadcast L and s' .nbr-color uv = 
undefined. Since u is blocked by v on nbr-color in sT there must exist another step 
(s",COPY„„,s'") following s' in 7 2 such that s" .nbr-color uv = undefined and s'".nbr- 
color uv > 0. s" must then belong in some epoch 7- for IT such that Color(t") 7= 0. 
From the definitionsr7 2 notices 7-. 

Case 2 Color(7 1 ) 7^ 0. 

If there exists a state s' in 7 : such that s' .color u = Color^^Ls'. mode u = broadcast 
and s' .nbr-color uv = undefinedLthen by an argument similar to that in Case lT^j l notices 
some 7-. If there exists no such sTwe use the fact that Color(7 2 ) = (Claim 7.22). 
Thenrby reasoning identical to that in Case IL73 must notice some 7-. ■ 

7.3.1 The "Order" Results 

Claim 7.74 Let i < i' . Iffj notices 7- and 7^ notices 7,, then j < j' . 

Proof. Let j i notice 7- in step (s l7 a, s 2 ) and 7^ notice 7-, in step (s 3 , a, s 4 ). Since j i precedes 
7j/ in aTs 2 precedes s 3 . Since Si G 7,- and s 3 G 7,^7- cannot follow 7-, in a'; hence j < j'. ■ 

Claim 7.75 Let j i notice 7- andjj, notice 7^. Then, 

i- (j<j')=^ (*<*')• 

Proof. Let 7 8 - notice 7- in step (s l7 a,s 2 ) and let 7-, notice 7^ in step (s 3 ,a,s 4 ). 

If (i < J')^lj precedes 7-,Lso s 2 precedes s 3 . Hence j i must precede or coincide with 7 8 -,L 
and i < i! . 

If (i > J'Wli follows 7-,Lso s 4 precedes Si. Thus j i cannot precede 7 8 -,Land i > i' . ■ 

103 



Lemma 7.76 Let i < i' , and let j i notice 7- and 7,-, notice 7-,. For any coloring epoch 7-,/ 
swc/j £/ia£ j < j" < j' , ifjjn notices some coloring epoch 7^,, then i < i" < i' . 

Proof. From Claim 7.75(l)ri < i'Tand from Claim 7.75(2)IY > i" . Hence i < i" < i' . ■ 

Lemma 7.77 Let Color(7 8 ) = Color(7-) 7^ 0, and let Color(7 8 ), Color(7 j+2 ), and 
Color(7 +2 ) all be different. Ifji notices 7-, then either 7 i+2 confronts (7- or 7 - +2 j or 7- +2 
confronts (j { or j i+2 ). 

Proof. 7 i+2 must notice j k for some k. From Claim 7.74Tk > j. If k = jTj i+2 confronts 7-. 
(Note that k 7= j + lTsince Color(t,- +1 ) = 0.) If k = j + 2r7 i+2 confronts 7, +2 . Suppose 
k > j + 2. 7j +2 must then notice some 7 8 -,rand by Lemma 7.76ri < i' < i + 2. Since Col- 
or(7 j+1 ) = OIV 7^ i + 1. Hence 7, +2 must notice either j i or 7 J+2 ; it then confronts j i and 
7i +2 respectively. ■ 

Corollary 7.78 Let Color(7 8 ) = Color^) ^ 0, and let Color(7 8 ), Color(7 j+2 ), and 
Color(t" j+2 ) all be different. Ij : j i notices 7-, then there exists s following fstate( j y i ) in a such 
that s G C 1 and (s.now < fstate( j y i ).now + 42S + 20). 

Proof. From Lemma 7.77r either 7 i+2 confronts (7 • or 7 +2 )r or 7, +2 confronts (7^ or 
7 i+2 ). Let (si,a,s 2 ) be a "confrontation step" from those mentioned above. From Lem- 
mas 7.70 and 7.71Tthe durations of j i and 7- are at most 13<*>+6Fand those of j i+1 and 
7 7+1 are a t most 3<*> + 2. Hence fstate( j j i+2 ).now < fstate( j y i ).now+ (13 S + 6)+ (36 + 2)Tand 
fstate( 7 Yj +2 ).now < fstate( 7 fA.now+ (13<*>+6)+ (36+2). Since j i notices yTLemma 7.70 implies 
that fstate (7,). now < fstate( j y i ).now+ (13<*> + 6). Therefore fstate(^f- +2 ). now < fstate("/ ,-) .now 
+ (29<*> + 14). Lemma 7.72 then implies that there exists a state s following fstate^^ in a such 
that s G C 1 and s.now < fstate( j y i ).now+ (296 + 14)+ 13 S + 6Fwhich yields the result. ■ 

7.3.2 The Tree Detection Proposition 

Theorem 7.79 C= 58 A+? 8 c 1 . 
wc 2/9 

104 



Proof. Let s G C^ c . If s G - C 1 Tthen |s.$| > 2rso there exists more than one tree in s. Let 
T and T be two neighboring trees. Let a be any execution fragment of RSST starting with 
sLand let a' be the maximal prefix of a that is in C^ c . Let a' be partitioned into coloring 
epochs 7 8 - for T and 7 f i for T such that a' = 7i«72«73 • • • = 7i«72 a 73 • • •• By Lemma 7.73L 
unless a state in C 1 is reached in a before /state(7 3 )Lthere exists i < 3 such that j i notices 7 • 
for some j. By Lemmas 7.70 and 7.71Tfstate( j y i ).now < s.now + (168 + 8). 

If Color(7j) 7^ CoLOR(7 J )Lby Lemma 7.72 there exists state s' in a such that s' G C 1 
and s' .now < fstate('y i ).now+(136 + 6) < s.now + (298 + 14). If Color(7 8 ) = CoLOR.(7-)r 
let (si,a, s 2 ) be a step in which 7 8 - notices 7-. Consider the execution automaton H = 
#(RSST,„4, Sl ). 

Let the event e' be defined as the event in which CoLOR(7 i )LCoLOR(7 i+2 )Land Color(t - +2 ) 
are all different. ThenL 

P #( e ') = P ( C ° LOR (7i) + COLOR( 7i+2 ) ) X P( COLOR(7 i+2 ) £ {COLOR( 7i ), COLOR( 7i+2 )} 
= 2/3 X 1/3 (since the colors are chosen from {1I2I3}) 

= 2/9 

For any execution a G e'LCorollary 7.78 implies that there exists s' following fstate( j y i ) in 
a such that s' G C 1 and s.now < fstate( j y i ).now + 428 + 20. Since fstate( j y i ) < s.now + 16<*> + 8L 
the Lemma follows. ■ 

We are now in a position to state the Tree Detection Proposition: 

Proposition 7.80 C= 7 -^ 6 C\ 
^ 2/9 



Proof. From Lemma 7.66LC - =£ C^^Land from Lemma 7.79TCwn —^ C 1 . Hence the 
Proposition follows. 



'ffC 1 allu llulii zinnia 1 . 1 ul ^ wc 2 



105 



106 



Chapter 8 



The Deterministic Version 



In this chapter we describe the main ideas behind the deterministic version of the algorithmr 
for ID-based networks. 

For our deterministic algorithmr we assume that each node has access to a "hardwired" 
unique ID. We refer to the unique ID as the node's UID to prevent confusion with the nodes 
"other" IDTwhich is a tuple of entries as in the randomized case. The "hardwiring" of the 
UID implies that the UID cannot be corrupted by the adversary; a nodes' UID always remains 
fixed and unique. 

The deterministic protocol is very similar to the randomized version. Each node has an 
ID consisting of a tuple of entries; each entry is now an integer instead of a pair as for the 
randomized version. The tree overrunning process (and action MAXIMIZE-PRIORITY) is 
also identical: nodes attempt to form rooted treesFand trees compete with one another for 
being the eventual spanning tree. 

The main simplificationr compared to the randomized versionr arises in the method for 
recoloring trees. We no longer need random coin flips to break symmetry: the unique UIDs 
are exploited for fully reliable symmetry breaking. Each nodeFas beforerhas a color. Howeverr 
the main difference is that trees do not need to be repeatedly recolored. Fhe root of a tree 
always attempts to propagate its UID as the color of its treeTso nodes repeatedly copy their 

107 



parent's color. If a leaf notices a neighbor with the same ID but a different colorrit concludes 
that its neighbor belongs to a different treeland informs its root through the other-trees variable 
which is echoed to its root by its ancestors in the tree. When a root detects the presence of 
a competing treerit appends its own UID to its ID; this change in its ID is automatically 
propagated to its leaves. Note that we do not need the variables direction and recorded- color 
in the deterministic case. 

The correctness and complexity proofs are analogous to those for the randomized versionl 1 
with the exception that all probabilities in Chapter 6 are now certainties. 



108 



Chapter 9 



Conclusions and Discussion 



In this thesis we have presented self- stabilizing algorithms for constructing spanning trees 
in asynchronous networks in O(diameter) time; our algorithms are time-optimal. We have 
presented both a randomized version for anonymous networks and a deterministic version for 
ID-based networks; both versions use the same general paradigm. We have presented a formal 
analysis of the randomized protocol using the Probabilistic Automata formalism of Segala and 
Lynch; in doing soFwe have demonstrated the capability of the model to effectively analyze 
the interactions between the probabilistic choices made by the random algorithmic steps and 
the nondeterministic choices made by the scheduler. 

Besides the stabilization timeFanother key measure of efficiency (which we have hitherto 
not dwelt upon) is the space required at each nodeTi.e. the size of the local memory needed at 
each node to execute the algorithm. The optimal space requirement for an ID-based protocol 
must necessarily be O(logn) (since there must exist IDs of size O(logn)). 

Our deterministic protocol requires ID extensions of size 0(logra)Tand our randomized 
protocol requires extensions of expected size (log log n). Since in a "well- colored" state (cf. 
Section 7) a root extends only if there exists another root with the same IDTit is likely that 
each root requires a total of 0(1) extensions in both versions of the protocol. If sol 1 both 
protocols would require space only O(logra) bits larger than the space occupied at the "start" 

109 



of the algorithm. (For the purposes of self-stabilizationrthe adversary is allowed to set the 
"initial" stateFwhich might occupy an arbitrary amount of space (since in our protocols IDs 
can get arbitrarily large). Howeverrthe protocols then would "consume" at most expected 
O(logra) bits of memory more than the size of the longest "initial" ID.) 

A current weakness of our scheme is that it is not guaranteed to function in bounded space; 
if the adversary sets "too much" of the initial bounded memoryrthe protocol could run out 
of space. An important open problem is to construct a time-optimal self- stabilizing spanning 
tree protocol that runs in bounded spacer without any prior knowledge about the network 
parameters. 



110 



Appendix A 

Properties of the Afek-Matias 
Probability Distribution 



We now prove Theorems 4.2 and 4.3 stated in Section 4.1. Recall the definitions of Section 
4.1. We first prove Theorem 4.2: 

Theorem A.l For any k,i, P r *(UNIQH | (Highest > i)) > 1/2. 

For the rest of this chapterrto ease the notationriet U denote the event UNIQHTand let 
H denote the random variable Highest. 

Recall that a flip x actually represents a pair (s,i)rwhere P(s = y) = l/2 J Tand P(t = 
y) = l/^rwhere for our purposes k = 201n4r. 

We will use the following result throughout this section: 
Claim A. 2 P r (x) = P r ((s,t)) = 1/(2 S • k). ■ 

Claim A.3 (a < b) => (P r (a) > Pr(b)). 

Proof. Let a = (s a ,t a ) and b = (s^^Tand let a < b. Then if s a < s h TP r (a) > Pr(b)- If s a = 
s b and t a < t b TP r (a) = P r (b). ■ 

111 



Lemma A. 4 If a <b, then 

P r ((X < a) | (X < a)) < P r ((X < b) \ (X < &)). 

Proof. We haver 

P r (X < a) 



P r ((X <a)\(X < a)) 



P r (X < a) 

PAX < a) - P r (X = a) 



PAX < a) 
PAX = a) 
PAX < a) 

Similarlyr 

PAX = b) 



PA(X <b)\(X <b))=l 



PAX < b) 



But clearly P r (X < a) < PAX < b) Tand from Claim A.3rP r (X = a) > PAX = b). 
Hence the Lemma follows. ■ 



Henceforthr unless otherwise mentionedr all probabilities are assumed to be in the space 



1 AM- 



Lemma A. 5 Ifa<b, P r *(U | (H = a)) < P r *(U | (H = b)) . 

Proof. In the event (U fl (H = a)) in r^ M T the highest of the k flips is unique and 
is equal to a; all the other k — 1 flips are less than a. Hence P r j.(U | (H = a)) = k X 
[P r ((A < a) | (X < a))] & " 1 rand similarly P r *(U | (H = b)) = kx[P r ((X < b) \ (X < 6))]*" 1 . 
The Lemma follows from Lemma A. 4. ■ 

Lemma A. 6 For any i, P(U | (H > ij) > P(U | (H < ij). 

112 



Proof. We haver 

p(un(P< ij) 



P(U I (P < i)) 



P(H < i) 
P(U n ((P = 1) U (P = 2) U . . . U (P < ijj) 
P(H = 1) + P(H = 2) + . . . + P(H = i) 

ELi P(H = m) 

Yl m=l P(H = m)P(T}\(H = m)) 



(A.l) 



EUi P(H = m) 
Similarlyr 

Now by Lemma A.5Lmax m <j P(U | (P = to)) < inf m>! - P(U | (P = to)). ThusLwe can 
choose a z such that 



maxP(U | (P = to)) < z < inf P(U | (P = to)) 

m < z m > z 



Then from (A.l)rP(U | (P < i)) < zLand from (A.2)rP(U | (P > ij) > z. Hence the 
Lemma follows. ■ 

Theorem A. 7 P r * (UNIQH | (Highest > i)) > 1/2. 

Proof. We haveL 

p(u) = P(un(P< i)) + P(un(P > ij) 

= P(H < i)P{[] | (P < ij) + P(H > i)P(\] | (P > ij) 
= [fP(H <i) + P(H >i)]P(U|(P >ij) 

where / < lLbecause of Lemma A. 6. Since P(H < i) + P(H > i) = lLwe have 

P(U) < P(U | (P > ij) 
113 



Since P(U) > 1/2 by Theorem 4. Hit follows that P(U | (H > i)) > 1/2. ■ 

We now proceed with the proof of Theorem 4.3rwhich states that for any k, iT P r k(Highest ^ i) 
> (l- e -i/4) = 0.22. 

We first prove an ancillary lemma: 
Lemma A. 8 For any e such that < e < 1/2, and any n > 0, 

/(e, n) = (1 - e) n - (1 - 2e) n < 0.78 

Proof. If (1 — 2e) n > l/2rthen f(e,n) < l/2rso the Lemma holds. We now consider the case 
in which (1 - 2e) n < 1/2. Since (1 - 2rae) < (1 - 2e) n rit follows that (1 - 2rae) < l/2rwhich 
implies that e > l/4ra. Thus 

f(e, n) < (1 - 6)" < (1 " ^) n < e" 1/4 < 0.78, 

thus proving the Lemma. ■ 

Given a random flip sLlet x.s and x.t denote its two fields. Recall that P r (X.s = j) = 
1/2*. 



Claim A. 9 



MX.s >j) = jj 



Proof. 



PAX.syj) = J2 P r(X. 



S = TO) 
m=j + l 
oo -i 

y — 

/— i 9 m 

m=j + l 
1 

Yi 
114 



Corollary A. 10 



Corollary A. 11 



Claim A. 12 



Claim A. 13 



Pr(X.s <j) = l 



P r (X.s <j) = l 



2i 



23- 



PMHighest.s < j) = (1 - — ) 



P r >(Highest.s > j) = 1 - (1 - -)* 



We now prove the main theorem: 



Theorem A. 14 For any k,i, P rk (Highest^ i) > (1 - e" 1 / 4 ) > 0.22. 



Proof. Let i.s = j. ThenL 



PMH^i) 



P Tk (H < i) + P r JH > i) 



> P rk (H.s<j) + P rk (H.s>j] 



'1 



1 



23- 



V 23' 



1 - [(1 - — )* - (1 - -i-r) k ] 

IA 2j ' v 23- 1 



Setting 1/2 J = eLthe last expression reduces to 



Pr-(H^i) >l-[(l-e) k -(l-2e) 



Since by Lemma A. 8 (1 — e) k — (1 — 2e) k < 0.78Lthe Theorem follows. 



115 



References 



[AB89] 
[AG90] 



Yehuda Afek and Geoffrey Brown. Self-stabilization of the alternating bit protocol. In Proc. 
8th Symposium on Reliable Distributed Systems, October 1989. 



Anish Arora and Mohamed G. Gouda. Distributed reset. In Proc. 10th Conf. on Founda- 
tions of Software Technology and Theoretical Computer Science, pages 316-331. Springer- 
Verlag (LNCS 472), 1990. 

[AK93] Sudhanshu Aggarwal and Shay Kutten. Time Optimal Self-Stabilizing Spanning Tree Al- 

gorithms. In Proc. 13th Conf. on Foundations of Software Technology and Theoretical 
Computer Science, pages 400-410. Springer- Verlag (LNCS 761), 1993. 

[AKMPV93] Baruch Awerbuch, Shay Kutten, Yishay Mansour, Boaz Patt-Shamir, and George Vargh- 
ese. Time Optimal Self-Stabilizing Synchronization. In Proceedings of the 25th Annual 
ACM Symposium on Theory of Computing, May 1993. 

[AKY90] Yehuda Afek, Shay Kutten, and Moti Yung. Memory-efficient self-stabilization on general 
networks. In Proc. J t th Workshop on Distributed Algorithms, Italy, September 1990. 

[AM89] Yehuda Afek and Yossi Matias. Simple and Efficient Election Algorithms for Anonymous 

Networks. In 3rd International Workshop on Distributed Algorithms, Nice, France, Septem- 
ber 1989. 

[Ang80] Dana Angluin. Local and global properties in networks of processes. In Proceedings of the 

12th Annual ACM Symposium on Theory of Computing, May 1980. 

[AP90] Baruch Awerbuch and David Peleg. Network synchronization with polylogarithmic over- 

head. In 31st Annual Symposium on Foundations of Computer Science, 1990. 

[APPS92] Baruch Awerbuch, Boaz Patt-Shamir, David Peleg, and Mike Saks. Adapting to asyn- 
chronous dynamic networks. In Proceedings of the 2J t th Annual ACM Symposium on The- 
ory of Computing, pages 557-570, May 1992. 

[APV91] Baruch Awerbuch, Boaz Patt-Shamir, and George Varghese. Self-stabilization by local 

checking and correction. In 32nd Annual Symposium on Foundations of Computer Science, 
pages 268-277, October 1991. 

[APV92] Baruch Awerbuch, Boaz Patt-Shamir, and George Varghese. Self-stabilizing network pro- 

tocols. Unpublished manuscript, 1992. 



116 



[AS88] Baruch Awerbuch and Michael Sipser. Dynamic networks are as fast as static networks. 

In 29th Annual Symposium on Foundations of Computer Science, pages 206-220, October 
1988. 

[AV91] Baruch Awerbuch and George Varghese. Distributed program checking: a paradigm for 

building self-stabilizing distributed protocols. In 32nd Annual Symposium on Foundations 
of Computer Science, pages 258-267, October 1991. 

[Awe85] Baruch Awerbuch. Complexity of network synchronization. J. ACM, 32(4):804-823, Octo- 

ber 1985. 

[BP89] J.E. Burns and J. Pachl. Uniform self-stabilizing rings. ACM Transactions on Programming 

Languages and Systems, ll(2):330-344, 1989. 

[Dij74] Edsger W. Dijkstra. Self stabilization in spite of distributed control. Comm. ACM, 17:643- 

644, 1974. 

[DIM91] Shlomi Dolev, Amos Israeli, and Shlomo Moran. Uniform self-stabilizing leader election. 

In Proc. 5th Workshop on Distributed Algorithms, pages 167-180, 1991. 

[LSS94] Nancy Lynch, Isaac Saias, and Roberto Segala. Proving Time Bounds for Randomized 

Distributed Algorithms. To appear in Proc. 13th Conf. on Principles of Distributed Com- 
puting, August 1994. 

[SL94] Roberto Segala and Nancy Lynch. A model for randomized concurrent systems. 

Manuscript, 1994 

[Var92] George Varghese. Self -Stabilization by Local Checking and Correction. PhD thesis, MIT 

Lab. for Computer Science, 1992. 



117 



